How to use tokens with dropdown menu for two diffe...

zshainsky · ‎07-25-2014

Intro: My ultimate goal is to create a drop down menu in a dashboard that supports two different searches depending on which one is selected. The two searches are both sub searches that look for names that are in one list but not in the other and returns a table of those names.

EXAMPLE: I am looking for names of people in the East region that are in Source1 that are not in Source2. Source1 has more names than Source 2. Name_ID is a common field shared in both Source1 and Source2.

index=name source=Source1 Region="East" NOT [search index=name source=Source2 | fields + Name_ID]| table Name_ID

If Source2 had more names than Source1 the search would need to look like this:

index=name source=Source2 Region="East" NOT [search index=name source=Source1 | fields + Name_ID]| table Name_ID

Root Issue:
This all works great if Source1 and Source2 are hard coded in the "values" field of the drop down, but I am entering the values for Source1 and Source2 in a text field which are accessed through token values. Anything entered in the "values" field is passed as a string. This means that $token1$ is passed as "$token1$".

Questions

How can I use tokens from a textfield on a dashboard to give the user the option to chose between the two searches shown above?
If question 1 isn't possible, it would be very cool to eliminate all need for the drop down if I could write a search to compare which source had more names and allow Splunk to choose which search to use. Any suggestions?

somesoni2 · ‎07-25-2014

Try this as your search (assuming the Source1 is $Source1$ and Source2 is $Source2$ token from text boxes)

[search index=name source="$Source1$" OR source="$Source2$" | chart count over index by source | eval search=if('$Source1$' > '$Source2$', "index=name source="$Source1$" Region=\"East\" NOT [search index=name source="$Source2$" | fields + Name_ID]| table Name_ID", "index=name source="$Source2$" Region=\"East\" NOT [search index=name source="$Source1$" | fields + Name_ID]| table Name_ID") | table search ]| table Name_ID

zshainsky · ‎07-25-2014

<form> <label>Enterprise Sandbox</label> <fieldset submitButton="false"> <input type="text" token="Source1" searchWhenChanged="true"> <default>Source1</default> </input> <input type="text" token="Source2" searchWhenChanged="true"> <default>Source2</default> </input> </fieldset> <row> <panel> <chart> <searchString>[search index=Name source="$Source1$" OR source="$Source2$"| chart count over index by source | eval search=if('$Source1$' > '$Source2$', "index=Name source=\"$Source1$\" Sales_District=\"East\" NOT [search index=Name source=\"$Source2$\" | fields + Name_ID]| table Name_ID", "index=Name source=\"$Source2$\" Sales_District=\"East\" NOT [search index=Name source=\"$Source1$\" | fields + Name_ID]| table Name_ID")| table search ]| table Name_ID</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">false</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> </chart> </panel> </row> </form>

somesoni2 · ‎07-25-2014

Can you provide your dashboard xml?

zshainsky · ‎07-25-2014

I have this search working great with out the beginning search command:

index=name source="$Source1$" OR source="$Source2$"| chart count over index by source | eval search=if('$Source1$' > '$Source2$', "index=name source=\"$Source1$\" Sales_District=\"East\" NOT [search index=name source=\"$Source2$\" | fields + Name_ID]| table Name_ID", "index=name source=\"$Source2$\" Sales_District=\"East\" NOT [search index=name source=\"$Source1$\" | fields + Name_ID]| table Name_ID")

I get no result when I add the [search index=name … | table search ]. Not sure why it won't execute that query.

somesoni2 · ‎07-25-2014

My bad, that was my local indexes I used to test the search. I have updated the search to remove those.

The whole string from "[ search index=name..." to "...| table search]" generates the search string you want to run conditionally. Paste the whole thing in the place when you want to run the query to get Name_ID.

If possible provide your dashboard code so that I can tell which exact point it should go.

zshainsky · ‎07-25-2014

Thank you for your quick response!

Could you please explain what the index=clm_transactions and | chart count over index by loggingAppId are used for. I haven't been able to find them by searching google and when I take out everything after the first search I get no results found back.

I have been able to get the resultant string from my if statement after changing the conditional values to something I know will work for testing purposes. How do I then run the resulting string from the if statement through a search?

How to use tokens with dropdown menu for two different subsearches?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!