alt text
Hello, I'm trying to two drill-down options for my dashboard and in that one to select the platform and the other one is for the environment.
Let say I have platform A and B and in both of them have environment C, D, and E.
I have written as below but output in dashboard is NULL or no data found.
FYI: For a single option it is working fine and I able to see dashboard with values.
</form>
<panel id="dropdown">
<title>Welcome, $username$!</title>
<input type="dropdown" token="tokPlatform" searchWhenChanged="true">
<label>Select Platform</label>
<default>On-prem</default>
<choice value="index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*">On-prem</choice>
<choice value="index=alarms sourcetype=ommc_alarms MANAGER_NAME=*.corporate">Cloud-AWS</choice>
<choice value="Null">Cloud-Azure</choice>
</input>
<input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
<label>Select Environment</label>
<default>Prod</default>
<choice value="$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp">Prod</choice>
<choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*">Dev</choice>
<choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*">QAT</choice>
</input>
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<html>
</html>
</panel>
</row>
<row id="row1">
<panel depends="$alwaysHideCSS$">
<html>
<style>
#countTicketPanel{
width:25% !important;
}
#ticketStatusPanel{
width:75% !important;
}
#row1{
border-radius: 6px;
font-family:"Roboto","Droid","Helvetica Neue",Helvetica,Arial,sans-serif;
text-decoration: none;
margin:auto;
background-color: #ea0a8e;
color: #ea0a8e;
padding: 1px 1px 1px 1px;
border-top: 1px solid #CCCCCC;
border-right: 1px solid #333333;
border-bottom: 1px solid #333333;
border-left: 1px solid #CCCCCC;
position:auto;
}
#row2{
border-radius: 6px;
font-family:"Roboto","Droid","Helvetica Neue",Helvetica,Arial,sans-serif;
text-decoration: none;
margin:auto;
background-color: #ea0a8e;
color: #ea0a8e;
padding: 1px 1px 1px 1px;
border-top: 1px solid #CCCCCC;
border-right: 1px solid #333333;
border-bottom: 1px solid #333333;
border-left: 1px solid #CCCCCC;
position:auto;
}
#dropdown{
border-radius: 6px;
font-size: 12px;
font-family:"Roboto","Droid","Helvetica Neue",Helvetica,Arial,sans-serif;
text-decoration: none;
background-color: #ea0a8e;
color: #ea0a8e;
padding: 6px 8px 6px 8px;
border-top: 1px solid #CCCCCC;
border-right: 1px solid #333333;
border-bottom: 1px solid #333333;
border-left: 1px solid #CCCCCC;
margin:auto;
position:auto;
width:800px;
top:0px;
bottom:0px;
margin-left:-400px;
}
#table1 .splunk-table .splunk-paginator{
position: absolute !important;
top: -2px !important;
padding-left: 45% !important;
#table2 .splunk-table .splunk-paginator{
position: absolute !important;
top: -2px !important;
padding-left: 45% !important;
</style>
</html>
</panel>
<panel id="ticketStatusPanel">
<title>HDP INFRA ALERTS CHART</title>
<chart>
<title>ALERTS SEVERITY</title>
<search>
<query> $tokEnvironment$ | eval compound_exp=AMONAME + "#" + NETWORKELEMENTCODE|timechart span=5m count(compound_exp) BY SEVERITY </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.fieldColors">{"CRITICAL":0xFF0000,"MINOR":0xFF8000, "MAJOR":0xFF8000}</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<drilldown>
<set token="clicked_earliest">$earliest$</set>
<set token="clicked_latest">$latest$</set>
<set token="clicked_group">$click.name2$</set>
</drilldown>
</chart>
</panel>
<panel id="countTicketPanel">
<title>TICKET STATUS CHART</title>
<chart>
<title>Ticket status</title>
<search>
<query> $tokEnvironment$ | eval compound_exp=AMONAME + "#" + NETWORKELEMENTCODE |timechart span=4m count(compound_exp) BY TICKET_STATUS</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.fieldColors">{"Assigned":0xF17BF1,"Working":0xFF8000,"Resolved":0xB3E680}</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">preview</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<drilldown>
<set token="clicked_earliest">$earliest$</set>
<set token="clicked_latest">$latest$</set>
<set token="clicked_group">$click.name2$</set>
</drilldown>
</chart>
</panel>
</row>
<row id="row2">
<panel depends="$alwaysHideCSS$">
<html>
<style>
#t1{
width:40% !important;
}
#t2{
width:60% !important;
}
</style>
</html>
</panel>
<panel id="t2">
<title>Important alerts by severity ($resultcount$)</title>
<table id="table2">
<search>
<query>$tokEnvironment$ AND TICKET_STATUS!="Closed" AND TICKET_STATUS!= "Resolved" | eval compound_exp=AMONAME + "#" + NETWORKELEMENTCODE | rename TTID as Ticket | table Ticket,MANAGER_NAME,SEVERITY,DESCRIPTION,CREATED_DATE,TICKET_STATUS,UPDATE_DATE | dedup Ticket | sort - SEVERITY desc</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<done>
<eval token="resultcount">$job.resultCount$</eval>
</done>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<format type="color" field="SEVERITY">
<colorPalette type="map">{"CRITICAL":#DC4E41,"MINOR":#F8BE34,"MAJOR":0xFF8000}</colorPalette>
</format>
</table>
</panel>
<panel id="t1">
<title>OPEN TICKET STATUS ($resultcount1$)</title>
<table id="table1">
<search>
<done>
<eval token="resultcount1">$job.resultCount$</eval>
</done>
<query> $tokEnvironment$ AND TICKET_STATUS!="Closed" AND TICKET_STATUS!= "Resolved" | rename TTID as Ticket | eval ot = strptime(CREATED_DATE, "%Y-%m-%d %H:%M:%S")
| eval ud = strptime(UPDATE_DATE, "%Y-%m-%d %H:%M:%S")
| eval nowstring=strftime(now(), "%Y-%m-%d %H:%M:%S")
| eval open_status(hr)=tostring((now() - ot), "duration" ) | eval lastactionON(hr)=tostring((now() - ud), "duration" )
| table Ticket,TICKET_STATUS,UPDATE_DATE, open_status(hr), lastactionON(hr) | where TICKET_STATUS!= "Resolved" | dedup Ticket</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="TICKET_STATUS">
<colorPalette type="map">{"Assigned":#DC4E41,"Working":#F8BE34 }</colorPalette>
</format>
</table>
</panel>
</row>
<row>
<panel>
<single>
<title>Ticket Solved</title>
<search>
<query> $tokEnvironment$ AND TICKET_STATUS!="Closed" AND TICKET_STATUS!= "Resolved" | dedup TTID | table TICKET_STATUS | where TICKET_STATUS = "Resolved" | stats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="height">50</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
</form>![alt text][1]
@nagarajsf ,
Try changing your second input (environment) as below - setting the second token on the change event
<input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
<label>Select Environment</label>
<default>Prod</default>
<choice value="$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp">Prod</choice>
<choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*">Dev</choice>
<choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*">QAT</choice>
<change>
<condition match="$label$=="Prod"">
<set token="tokEnvironment">$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp</set>
</condition>
<condition match="$label$=="Dev"">
<set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*</set>
</condition>
<condition match="$label$=="QAT"">
<set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*</set>
</condition>
</change>
</input>
@nagarajsf ,
Try changing your second input (environment) as below - setting the second token on the change event
<input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
<label>Select Environment</label>
<default>Prod</default>
<choice value="$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp">Prod</choice>
<choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*">Dev</choice>
<choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*">QAT</choice>
<change>
<condition match="$label$=="Prod"">
<set token="tokEnvironment">$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp</set>
</condition>
<condition match="$label$=="Dev"">
<set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*</set>
</condition>
<condition match="$label$=="QAT"">
<set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*</set>
</condition>
</change>
</input>
Hello @renjith.nair ,
when this token is resolving for the first time creation of dashboard, but it's acting strange if I refresh or some login dashboard, and they check, then it's not resolving as expected.
when I checked in query of the chart, I'm getting query with unsalved token
$tokPlatform$ MANAGER_NAME=prdehdp*
OR MANAGER_NAME=prdplhdpx* OR
MANAGER_NAME=prdasdp | eval
compound_exp=AMONAME + "#" +
NETWORKELEMENTCODE|timechart span=5m
count(compound_exp) BY SEVERITY
@nagarajsf,
Can you rename this token tokEnvironment
to something else ?
<input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
so that it doesn't collide with other in the change event
Hi @renjith.nair,
I have tried with different name but still the same issue. Replaced tokEnvironment
with tokEnvironment1
.
@nagarajsf, it should be done only for the input and not on the change events.
Would you mind sharing the xml you are currently using and also the steps performing when its not working ?Thanks
Same XML I'm using which mentioned in query. when I swapping between different environments and platforms, the dashboard is not working.
and I attached screenshots of activity which I performing on dashboard and it's not working.
@nagarajsf,
Static token dependency is tricky . I am not able to see the screenshots, but try resetting the environment token when you are changing the platform token. By doing this, you will be able to force user to select the environment
<input type="dropdown" token="tokPlatform" searchWhenChanged="true">
<label>Select Platform</label>
<default>On-prem</default>
<choice value="index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*">On-prem</choice>
<choice value="index=alarms sourcetype=ommc_alarms MANAGER_NAME=*.corporate.t-mobile.com">Cloud-AWS</choice>
<choice value="Null">Cloud-Azure</choice>
<change>
<condition>
<unset token="tokEnvironment"></unset>
<unset token="form.tokEnvironment"></unset>
</condition>
</change>
</input>
<input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
<label>Select Environment</label>
<choice value="$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp">Prod</choice>
<choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*">Dev</choice>
<choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*">QAT</choice>
<change>
<condition match="$label$=="Prod"">
<set token="tokEnvironment">$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp</set>
</condition>
<condition match="$label$=="Dev"">
<set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*</set>
</condition>
<condition match="$label$=="QAT"">
<set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*</set>
</condition>
</change>
</input>
Another method is to bring the actual search queries to the panels from inputs and keep only the variable part in the inputs.
For e.g. index=alarms sourcetype=ommc_alarms
will be part of actual panels and substitute the rest of your search based on envs.
Suggest you to revisit the whole XML. In the current scenario, if you select On-prem
and dev
, your resulted search will be
index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*" APPLICATION=Hadoop AMONAME=dev*
without the proper search term precedence, you might end up in wrong results.
Thank you, it's working now as I expected.
Hi @renjith.nair ,
In same XML
code, this time I do see that token is resolving in search but it's not showing any data in graph or
table of the dashboard, if the same query I run in the search its throwing result.
Any suggestions?
@nagarajsf,
Most probably its due to the extracted fields which are not available in the post process search. Try adding |fields <your field list>
to your base search
@nagarajsf,
In the xml, you are using a dropdown. What do you mean by multiple options ? Are you trying to use a multiselect instead of dropdown? If that's the case you might need to check the delimiter and how its formulating the search.
Also, is your search really starts with "Prod AND TICKET_STATUS!="Closed ...."
without any index, sourcetype specification ?
And also in given XML file, the token $tokEnvironment$
is not resolving when check-in dashboard query lookup.
Hi @renjith.nair,
let say if I select On-prem
in first dropdown, then in second dropdown, I could see any of the Prd, Dev, QAT
.
base search starting with index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*
and I passing it as token $tokPlatform$
in all other places in XML.
$tokPlatform$ -- > index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*
$tokEnvironment$ --> $tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp