Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Run two saved searches from one dropdown
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I currently have a dashboard that is used to review batch run times. It allows the user to use a dropdown to select and view the run times for each task within the batch process. I have subsequently been asked to add the option to view total batch time taken. To do this requires a different search to that used for the individual batch jobs.
I have been able to use saved searches to achieve this.
However, the original dashboard dropdown was linked to two searches which used the task name to produce a table and a timechart.
My question is, can this be done with saved searches? As far as I can see, the dropdown only allows a link to one saved search.
As always, any assistance is gratefully received.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this
<input type="dropdown" token="report" searchWhenChanged="true">
<label>Batch Task</label>
<choice value="roylink_task_times task=Roylink_IAF">Roylink IAF</choice>
<choice value="roylink_task_times task=Roylink_FE">Roylink FE</choice>
<choice value="roylink_task_times task=Roylink_Upload">Roylink Upload</choice>
<choice value="roylink_task_times task=*">All</choice>
<choice value="roylink_total_time">Total</choice>
<change>
<condition value="roylink_task_times task=Roylink_IAF">
<set token="otherreport">other report value for IAF</set>
</condition>
<condition value="roylink_task_times task=Roylink_FE">
<set token="otherreport">other report value for FE</set>
</condition>
</change>
</input>Then use $otherreport$ token for your other saved search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The dropdown has a change handler so you could set more than one token based on the selection made.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer could you expand on that please? Or point me to documentation. Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer Apologies, I still don't understand and may not have explained myself properly.
This is my original code -
<row>
<panel>
<title>Historical data</title>
<input type="dropdown" token="field1">
<label>Time Period</label>
<default>-7d@d</default>
<choice value="-7d@d">Last 7 days</choice>
<choice value="-14d@d">Last 14 days</choice>
<choice value="-30d@d">Last 30 days</choice>
<choice value="-90d@d">Last 90 days</choice>
<initialValue>-7d@d</initialValue>
</input>
<input type="dropdown" token="task" searchWhenChanged="true">
<label>Batch Task</label>
<choice value="Roylink_IAF">Roylink IAF</choice>
<choice value="Roylink_FE">Roylink FE</choice>
<choice value="Roylink_Upload">Roylink Upload</choice>
<choice value="*">All</choice>
</input>
<table>
<search>
<query>index=sr_prd sourcetype=batch_roylink earliest=$field1$
| eval s=strptime(Scheduled_Batch_StartTime, "%Y-%m-%d %H:%M:%S.%Q")
| eval e=strptime(Scheduled_Batch_Endtime, "%Y-%m-%d %H:%M:%S.%Q")
| eval s=round(s,2)
| eval e=round(e,2)
| eval r=tostring(e-s, "duration")
| rename "Scheduled_Batch_StartTime" as "Start Time", "Scheduled_Batch_Endtime" as "End Time", r as "Runtime (H:M:S)"
| stats list("Start Time") as "Start Time",list("End Time") as "End Time", list("Runtime (H:M:S)") as "Runtime (H:M:S)" by Task_Object
| search Task_Object = $task$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
chart options removed to save space
</table>
</panel>
</row>
<row>
<panel>
<chart>
<search>
<query>index=sr_prd sourcetype=batch_roylink earliest=$field1$
| mvexpand Task_Object
| search Task_Object= $task$
| eval s=strptime(Scheduled_Batch_StartTime, "%Y-%m-%d %H:%M:%S.%Q")
| eval e=strptime(Scheduled_Batch_Endtime, "%Y-%m-%d %H:%M:%S.%Q")
| eval r=round(e - s,3)
| timechart span=1d values(r) as "Runtime (seconds)" by Task_Object</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
chart options removed to save space
</chart>
</panel>
</row>
This is what I have so far for the updated dashboard -
<row>
<panel>
<title>Historical data</title>
<input type="time" token="field1">
<label>Time Period</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="report" searchWhenChanged="true">
<label>Batch Task</label>
<choice value="roylink_task_times task=Roylink_IAF">Roylink IAF</choice>
<choice value="roylink_task_times task=Roylink_FE">Roylink FE</choice>
<choice value="roylink_task_times task=Roylink_Upload">Roylink Upload</choice>
<choice value="roylink_task_times task=*">All</choice>
<choice value="roylink_total_time">Total</choice>
</input>
<table>
<search>
<query>| savedsearch $report$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
chart options removed to save space
</table>
</panel>
</row>
<row>
<panel>
<chart>
<search>
<query>| savedsearch $what goes here?$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
charting options removed to save space
</chart>
</panel>
</row>
As you can see, the second chart needs a different search to produce the timechart. Originally, I could use the $task$ variable as this was common between searches. With the update, I need to call a different search and specify the task appropriate to the choice from the dropdown.
Thanks for your patience.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this
<input type="dropdown" token="report" searchWhenChanged="true">
<label>Batch Task</label>
<choice value="roylink_task_times task=Roylink_IAF">Roylink IAF</choice>
<choice value="roylink_task_times task=Roylink_FE">Roylink FE</choice>
<choice value="roylink_task_times task=Roylink_Upload">Roylink Upload</choice>
<choice value="roylink_task_times task=*">All</choice>
<choice value="roylink_total_time">Total</choice>
<change>
<condition value="roylink_task_times task=Roylink_IAF">
<set token="otherreport">other report value for IAF</set>
</condition>
<condition value="roylink_task_times task=Roylink_FE">
<set token="otherreport">other report value for FE</set>
</condition>
</change>
</input>Then use $otherreport$ token for your other saved search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I had started to use the <change> parameter, but your answer gave me all I needed to complete.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
