Dashboards & Visualizations

Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown)?

sreegouthamredd
New Member

Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown).

For instance, when having two post-process searches from a base search . I want to refer to either one of the post-process search by using a token in my a panel .

This however doesn't seem to work, see example below,

<form>
    <search id="BaseSearchQ">
       <query>SOME Base Search QUERY</query>
    </search>
      <search  base="BaseSearchQ" id="PostProcessQ1">
       <query>SOME Post Process QUERY1</query>
      </search>
      <search  base="BaseSearchQ" id="PostProcessQ2">
       <query>SOME Post Process QUERY2</query>
      </search>

      <row>
       <panel>
         <input type="dropdown" token="selectedtok" searchWhenChanged="true">
           <label>Service Provider</label>
             <choice value="PostProcessQ1">Windows</choice>
            <choice value="PostProcessQ2">Linux</choice>
         </input>
       <single>
        <title>TEST_FOO</title>
         <search base="$selectedOS$">
          <query>VISUALIZATION</query>
         </search>
      </panel>
    </row>
 ...
0 Karma

to4kawa
SplunkTrust
SplunkTrust
<form>
    <search id="BaseSearchQ">
    <query> 
| makeresults</query>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ1">
    <query> 
| eval test1="1"</query>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test2="2"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test3="3"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test4="4"</query>
    </search>
    </search>
    <search base="BaseSearchQ" id="PostProcessQ2">
    <query> 
| eval test5="5"</query>
    </search>
    <row>
    <panel>
    <input type="dropdown" token="selectedOS" searchWhenChanged="true">
    <label>Service Provider</label>
    <choice value="PostProcessQ1">Windows</choice>
    <choice value="PostProcessQ2">Linux</choice>
    <choice value="PostProcessQ3">Linux</choice>
    <choice value="PostProcessQ4">Linux</choice>
    <choice value="PostProcessQ5">Linux</choice>
    <change>
    <condition value="PostProcessQ1">
    <set token="tokShowPanelA">true</set>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ2">
    <unset token="tokShowPanelA"></unset>
    <set token="tokShowPanelB">true</set>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ3">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <set token="tokShowPanelC">true</set>
    <unset token="tokShowPanelD"></unset>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ4">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <set token="tokShowPanelD">true</set>
    <unset token="tokShowPanelE"></unset>
    </condition>
    <condition value="PostProcessQ5">
    <unset token="tokShowPanelA"></unset>
    <unset token="tokShowPanelB"></unset>
    <unset token="tokShowPanelC"></unset>
    <unset token="tokShowPanelD"></unset>
    <set token="tokShowPanelE">true</set>
    </condition>
    </change>
    </input>
    <single depends="$tokShowPanelA$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ1">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelB$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ2">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelC$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ3">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelD$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ4">
    <query>table _time *</query>
    </search>
    </single>
    <single depends="$tokShowPanelE$">
    <title>TEST_FOO</title>
    <search base="PostProcessQ5">
    <query>table _time *</query>
    </search>
    </single>
    </panel>
    </row>
    </form>

five is big. but it works.
Do you need the query optimization?

0 Karma

sreegouthamredd
New Member

This is a the normal approach .. the issue here is , we have about 5 drop-down options and each option will have 5 panels each that needs to refer its own post process search like

P11 , P12 .... P15 - PostProcessQ1
P21 , P22 .... P25 - PostProcessQ2
...
...
P51 , P52 .... P55 - PostProcessQ5

in future we would be adding more drop down options , so it would be tedious to code 5 panels each for every drop-down.

0 Karma

to4kawa
SplunkTrust
SplunkTrust

You are trying to do it in a panel, but what about linking other dashboards from the dashboard?
At least, you won't have to run multiple queries at startup.
my answer is updated 'five panel ver'. but, do you consider another way?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!