Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to have query/panel with conditional alternative queries/panels?

yshen
Communicator
‎01-28-2022 09:05 AM
As follows
if <condition-based-on-token-value> then query_1 else query_2where query_1 and query_2 may be a series of statements producing different sets of data.
 
Given a search query can be embedded in a panel, it might achieve the equivalent results, if there were a way to have conditional panel selection:
if <condition-based-on-token-value> then panel_with_query_1 else panel_with_query_2
(The above idea is inspired by @mmccul)
but I don't know if it's possible to have such panel selection mechanism with Simple XML of Splunk?Or alternatively, if I could control the visibility of a panel based token value, then I might also achieve the panel selection mechanism:
  • define two panels with visibility control by the token value
  • the controls are mutually exclusive, so that only one panel will be shown
I'd appreciate some pointers or examples. (edited) 
 
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2022 10:36 AM

You should be able to use the depends option on a panel to control whether it is visible or not.  The depends option says the panel is visible if the specified token is defined.  Using conditions to set an un-set tokens will show/hide the panels.

<panel depends="someToken">
  <search>
    ...
  </search>
</panel>
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

yshen
Communicator
‎01-28-2022 01:23 PM

Thanks for the solution!

Here is a minimum working example:

<form>
<label>Select between Current and Forecast Weather</label>
<fieldset submitButton="false">
<input type="radio" id="forecast" token="forecastToken" searchWhenChanged="true">
<label></label>
<choice value="0">Current</choice>
<choice value="1">Forecast</choice>
<default>0</default>
<change>
<condition value="0">
<set token="showCurrent">1</set>
<unset token="showForecast"></unset>
</condition>
<condition value="1">
<set token="showForecast">1</set>
<unset token="showCurrent"></unset>
</condition>
</change>
<initialValue>0</initialValue>
</input>
</fieldset>
<row>
<panel depends="$showCurrent$">
<single>
<title>Weather</title>
<search depends="$showCurrent$">
<query>| makeresults
| eval weather="Current"</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel depends="$showForecast$">
<single>
<title>Weather</title>
<search depends="$showForecast$">
<query>| makeresults
| eval weather="Forecast"</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
</form>

 
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2022 10:36 AM

You should be able to use the depends option on a panel to control whether it is visible or not.  The depends option says the panel is visible if the specified token is defined.  Using conditions to set an un-set tokens will show/hide the panels.

<panel depends="someToken">
  <search>
    ...
  </search>
</panel>
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

eholz1
Builder
‎10-18-2022 09:44 AM

Hello and I need some help on simple xml and dashboards

I have a token "hide_panel"

I have two panels - one gets an "Off" (panel1) result in the search, the other panel (panel2) gets an "On" result in the search.

I want to show the "On" panel when the dashboard opens, and if a search is run on panel1 - that has ";Off" in the result, hide panel2.

I am not understanding the tags: <progress> I do have a sample that works using a dropdown - but have yet

to understand how to set and unset the token so panel2 shows first, and then hides

My code is like this:

<search>
<query>sourcetype=linux_secure user=* eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off"</query>
<earliest>-35m@m</earliest>
<latest>now</latest>
<progress>
<condition match="'job.UserAction' == Off">
<!-- unset token="hide_panel"></unset -->
</condition>
<condition match="'job.UserAction' == Off">
<set token="hide_panel">false</set >
</condition>

</progress>

<sampleRatio>1</sampleRatio>
</search>

 

Any suggestions will help,

thanks,

eholz1

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2022 10:34 AM

Based on the code you shared, you probably want the <done> tag.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

eholz1
Builder
‎10-18-2022 10:42 AM

Hello richgalloway,

Thanks are not enough for the help provided by this forum and your replies, I will try the "done" tag.

thanks again,

eholz1

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...