Dashboards & Visualizations

Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown)?

sreegouthamredd
New Member

Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown).

For instance, when having two post-process searches from a base search . I want to refer to either one of the post-process search by using a token in my a panel .

This however doesn't seem to work, see example below,

<form>
    <search id="BaseSearchQ">
       <query>SOME Base Search QUERY</query>
    </search>
      <search  base="BaseSearchQ" id="PostProcessQ1">
       <query>SOME Post Process QUERY1</query>
      </search>
      <search  base="BaseSearchQ" id="PostProcessQ2">
       <query>SOME Post Process QUERY2</query>
      </search>

      <row>
       <panel>
         <input type="dropdown" token="selectedtok" searchWhenChanged="true">
           <label>Service Provider</label>
             <choice value="PostProcessQ1">Windows</choice>
            <choice value="PostProcessQ2">Linux</choice>
         </input>
       <single>
        <title>TEST_FOO</title>
         <search base="$selectedOS$">
          <query>VISUALIZATION</query>
         </search>
      </panel>
    </row>
 ...
0 Karma

to4kawa
Ultra Champion
<form>
    <search id="BaseSearchQ">
    <query> 
| makeresults</query>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ1">
    <query> 
| eval test1="1"</query>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test2="2"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test3="3"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test4="4"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test5="5"</query>
    </search>
    <row>
    <panel>
    <input type="dropdown" token="selectedOS" searchWhenChanged="true">
    <label>Service Provider</label>
    <choice value="PostProcessQ1">Windows</choice>
    <choice value="PostProcessQ2">Linux</choice>
    <choice value="PostProcessQ3">Linux</choice>
    <choice value="PostProcessQ4">Linux</choice>
    <choice value="PostProcessQ5">Linux</choice>
    <change>
    <condition value="PostProcessQ1">
    <set token="tokShowPanelA">true</set>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ2">
    <unset token="tokShowPanelA"></unset>
    <set token="tokShowPanelB">true</set>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ3">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <set token="tokShowPanelC">true</set>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ4">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <set token="tokShowPanelD">true</set>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ5">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <set token="tokShowPanelE">true</set>
    </condition>
    </change>
    </input>
    <single depends="$tokShowPanelA$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ1">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelB$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ2">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelC$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ3">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelD$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ4">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelE$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ5">
    <query>table _time *</query>
    </search>
    </single>
    </panel>
    </row>
    </form>

five is big. but it works.
Do you need the query optimization?

0 Karma

sreegouthamredd
New Member

This is a the normal approach .. the issue here is , we have about 5 drop-down options and each option will have 5 panels each that needs to refer its own post process search like

P11 , P12 .... P15 - PostProcessQ1
P21 , P22 .... P25 - PostProcessQ2
...
...
P51 , P52 .... P55 - PostProcessQ5

in future we would be adding more drop down options , so it would be tedious to code 5 panels each for every drop-down.

0 Karma

to4kawa
Ultra Champion

You are trying to do it in a panel, but what about linking other dashboards from the dashboard?
At least, you won't have to run multiple queries at startup.
my answer is updated 'five panel ver'. but, do you consider another way?

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...