Dashboards & Visualizations

Run two saved searches from one dropdown

timrich66
Communicator

Hi All,

I currently have a dashboard that is used to review batch run times.  It allows the user to use a dropdown to select and view the run times for each task within the batch process.  I have subsequently been asked to add the option to view total batch time taken.  To do this requires a different search to that used for the individual batch jobs.

I have been able to use saved searches to achieve this.

However, the original dashboard dropdown was linked to two searches which used the task name to produce a table and a timechart.  

My question is, can this be done with saved searches?  As far as I can see, the dropdown only allows a link to one saved search.

As always, any assistance is gratefully received.

Labels (3)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Something like this

<input type="dropdown" token="report" searchWhenChanged="true">
<label>Batch Task</label>
<choice value="roylink_task_times task=Roylink_IAF">Roylink IAF</choice>
<choice value="roylink_task_times task=Roylink_FE">Roylink FE</choice>
<choice value="roylink_task_times task=Roylink_Upload">Roylink Upload</choice>
<choice value="roylink_task_times task=*">All</choice>
<choice value="roylink_total_time">Total</choice>
<change>
<condition value="roylink_task_times task=Roylink_IAF">
<set token="otherreport">other report value for IAF</set>
</condition>
<condition value="roylink_task_times task=Roylink_FE">
<set token="otherreport">other report value for FE</set>
</condition>
</change>
</input>

Then use $otherreport$ token for your other saved search

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

The dropdown has a change handler so you could set more than one token based on the selection made.

0 Karma

timrich66
Communicator

Hi @ITWhisperer could you expand on that please?  Or point me to documentation.  Thank you

0 Karma

timrich66
Communicator

@ITWhisperer Apologies, I still don't understand and may not have explained myself properly.

This is my original code - 

<row>
<panel>
<title>Historical data</title>
<input type="dropdown" token="field1">
<label>Time Period</label>
<default>-7d@d</default>
<choice value="-7d@d">Last 7 days</choice>
<choice value="-14d@d">Last 14 days</choice>
<choice value="-30d@d">Last 30 days</choice>
<choice value="-90d@d">Last 90 days</choice>
<initialValue>-7d@d</initialValue>
</input>
<input type="dropdown" token="task" searchWhenChanged="true">
<label>Batch Task</label>
<choice value="Roylink_IAF">Roylink IAF</choice>
<choice value="Roylink_FE">Roylink FE</choice>
<choice value="Roylink_Upload">Roylink Upload</choice>
<choice value="*">All</choice>
</input>
<table>
<search>
<query>index=sr_prd sourcetype=batch_roylink earliest=$field1$
| eval s=strptime(Scheduled_Batch_StartTime, "%Y-%m-%d %H:%M:%S.%Q")
| eval e=strptime(Scheduled_Batch_Endtime, "%Y-%m-%d %H:%M:%S.%Q")
| eval s=round(s,2)
| eval e=round(e,2)
| eval r=tostring(e-s, "duration")
| rename "Scheduled_Batch_StartTime" as "Start Time", "Scheduled_Batch_Endtime" as "End Time", r as "Runtime (H:M:S)"
| stats list("Start Time") as "Start Time",list("End Time") as "End Time", list("Runtime (H:M:S)") as "Runtime (H:M:S)" by Task_Object
| search Task_Object = $task$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
chart options removed to save space
</table>
</panel>
</row>
<row>
<panel>
<chart>
<search>
<query>index=sr_prd sourcetype=batch_roylink earliest=$field1$
| mvexpand Task_Object
| search Task_Object= $task$
| eval s=strptime(Scheduled_Batch_StartTime, "%Y-%m-%d %H:%M:%S.%Q")
| eval e=strptime(Scheduled_Batch_Endtime, "%Y-%m-%d %H:%M:%S.%Q")
| eval r=round(e - s,3)
| timechart span=1d values(r) as "Runtime (seconds)" by Task_Object</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
chart options removed to save space
</chart>
</panel>
</row>

 

This is what I have so far for the updated dashboard - 

<row>
<panel>
<title>Historical data</title>
<input type="time" token="field1">
<label>Time Period</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="report" searchWhenChanged="true">
<label>Batch Task</label>
<choice value="roylink_task_times task=Roylink_IAF">Roylink IAF</choice>
<choice value="roylink_task_times task=Roylink_FE">Roylink FE</choice>
<choice value="roylink_task_times task=Roylink_Upload">Roylink Upload</choice>
<choice value="roylink_task_times task=*">All</choice>
<choice value="roylink_total_time">Total</choice>
</input>
<table>
<search>
<query>| savedsearch $report$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
chart options removed to save space
</table>
</panel>
</row>
<row>
<panel>
<chart>
<search>
<query>| savedsearch $what goes here?$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>

charting options removed to save space

</chart>
</panel>
</row>

 

As you can see, the second chart needs a different search to produce the timechart.  Originally, I could use the $task$ variable as this was common between searches.  With the update, I need to call a different search and specify the task appropriate to the choice from the dropdown.

Thanks for your patience.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Something like this

<input type="dropdown" token="report" searchWhenChanged="true">
<label>Batch Task</label>
<choice value="roylink_task_times task=Roylink_IAF">Roylink IAF</choice>
<choice value="roylink_task_times task=Roylink_FE">Roylink FE</choice>
<choice value="roylink_task_times task=Roylink_Upload">Roylink Upload</choice>
<choice value="roylink_task_times task=*">All</choice>
<choice value="roylink_total_time">Total</choice>
<change>
<condition value="roylink_task_times task=Roylink_IAF">
<set token="otherreport">other report value for IAF</set>
</condition>
<condition value="roylink_task_times task=Roylink_FE">
<set token="otherreport">other report value for FE</set>
</condition>
</change>
</input>

Then use $otherreport$ token for your other saved search

timrich66
Communicator

Thank you.  I had started to use the <change> parameter, but your answer gave me all I needed to complete.

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...