Dashboards & Visualizations

Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown)?

sreegouthamredd
New Member

Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown).

For instance, when having two post-process searches from a base search . I want to refer to either one of the post-process search by using a token in my a panel .

This however doesn't seem to work, see example below,

<form>
    <search id="BaseSearchQ">
       <query>SOME Base Search QUERY</query>
    </search>
      <search  base="BaseSearchQ" id="PostProcessQ1">
       <query>SOME Post Process QUERY1</query>
      </search>
      <search  base="BaseSearchQ" id="PostProcessQ2">
       <query>SOME Post Process QUERY2</query>
      </search>

      <row>
       <panel>
         <input type="dropdown" token="selectedtok" searchWhenChanged="true">
           <label>Service Provider</label>
             <choice value="PostProcessQ1">Windows</choice>
            <choice value="PostProcessQ2">Linux</choice>
         </input>
       <single>
        <title>TEST_FOO</title>
         <search base="$selectedOS$">
          <query>VISUALIZATION</query>
         </search>
      </panel>
    </row>
 ...
0 Karma

to4kawa
Ultra Champion
<form>
    <search id="BaseSearchQ">
    <query> 
| makeresults</query>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ1">
    <query> 
| eval test1="1"</query>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test2="2"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test3="3"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test4="4"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test5="5"</query>
    </search>
    <row>
    <panel>
    <input type="dropdown" token="selectedOS" searchWhenChanged="true">
    <label>Service Provider</label>
    <choice value="PostProcessQ1">Windows</choice>
    <choice value="PostProcessQ2">Linux</choice>
    <choice value="PostProcessQ3">Linux</choice>
    <choice value="PostProcessQ4">Linux</choice>
    <choice value="PostProcessQ5">Linux</choice>
    <change>
    <condition value="PostProcessQ1">
    <set token="tokShowPanelA">true</set>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ2">
    <unset token="tokShowPanelA"></unset>
    <set token="tokShowPanelB">true</set>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ3">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <set token="tokShowPanelC">true</set>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ4">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <set token="tokShowPanelD">true</set>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ5">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <set token="tokShowPanelE">true</set>
    </condition>
    </change>
    </input>
    <single depends="$tokShowPanelA$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ1">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelB$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ2">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelC$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ3">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelD$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ4">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelE$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ5">
    <query>table _time *</query>
    </search>
    </single>
    </panel>
    </row>
    </form>

five is big. but it works.
Do you need the query optimization?

0 Karma

sreegouthamredd
New Member

This is a the normal approach .. the issue here is , we have about 5 drop-down options and each option will have 5 panels each that needs to refer its own post process search like

P11 , P12 .... P15 - PostProcessQ1
P21 , P22 .... P25 - PostProcessQ2
...
...
P51 , P52 .... P55 - PostProcessQ5

in future we would be adding more drop down options , so it would be tedious to code 5 panels each for every drop-down.

0 Karma

to4kawa
Ultra Champion

You are trying to do it in a panel, but what about linking other dashboards from the dashboard?
At least, you won't have to run multiple queries at startup.
my answer is updated 'five panel ver'. but, do you consider another way?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...