Dashboards & Visualizations

Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown)?

sreegouthamredd
New Member

Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown).

For instance, when having two post-process searches from a base search . I want to refer to either one of the post-process search by using a token in my a panel .

This however doesn't seem to work, see example below,

<form>
    <search id="BaseSearchQ">
       <query>SOME Base Search QUERY</query>
    </search>
      <search  base="BaseSearchQ" id="PostProcessQ1">
       <query>SOME Post Process QUERY1</query>
      </search>
      <search  base="BaseSearchQ" id="PostProcessQ2">
       <query>SOME Post Process QUERY2</query>
      </search>

      <row>
       <panel>
         <input type="dropdown" token="selectedtok" searchWhenChanged="true">
           <label>Service Provider</label>
             <choice value="PostProcessQ1">Windows</choice>
            <choice value="PostProcessQ2">Linux</choice>
         </input>
       <single>
        <title>TEST_FOO</title>
         <search base="$selectedOS$">
          <query>VISUALIZATION</query>
         </search>
      </panel>
    </row>
 ...
0 Karma

to4kawa
Ultra Champion
<form>
    <search id="BaseSearchQ">
    <query> 
| makeresults</query>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ1">
    <query> 
| eval test1="1"</query>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test2="2"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test3="3"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test4="4"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test5="5"</query>
    </search>
    <row>
    <panel>
    <input type="dropdown" token="selectedOS" searchWhenChanged="true">
    <label>Service Provider</label>
    <choice value="PostProcessQ1">Windows</choice>
    <choice value="PostProcessQ2">Linux</choice>
    <choice value="PostProcessQ3">Linux</choice>
    <choice value="PostProcessQ4">Linux</choice>
    <choice value="PostProcessQ5">Linux</choice>
    <change>
    <condition value="PostProcessQ1">
    <set token="tokShowPanelA">true</set>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ2">
    <unset token="tokShowPanelA"></unset>
    <set token="tokShowPanelB">true</set>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ3">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <set token="tokShowPanelC">true</set>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ4">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <set token="tokShowPanelD">true</set>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ5">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <set token="tokShowPanelE">true</set>
    </condition>
    </change>
    </input>
    <single depends="$tokShowPanelA$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ1">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelB$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ2">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelC$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ3">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelD$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ4">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelE$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ5">
    <query>table _time *</query>
    </search>
    </single>
    </panel>
    </row>
    </form>

five is big. but it works.
Do you need the query optimization?

0 Karma

sreegouthamredd
New Member

This is a the normal approach .. the issue here is , we have about 5 drop-down options and each option will have 5 panels each that needs to refer its own post process search like

P11 , P12 .... P15 - PostProcessQ1
P21 , P22 .... P25 - PostProcessQ2
...
...
P51 , P52 .... P55 - PostProcessQ5

in future we would be adding more drop down options , so it would be tedious to code 5 panels each for every drop-down.

0 Karma

to4kawa
Ultra Champion

You are trying to do it in a panel, but what about linking other dashboards from the dashboard?
At least, you won't have to run multiple queries at startup.
my answer is updated 'five panel ver'. but, do you consider another way?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...