Dashboards & Visualizations

Splunk Dashboard Studio - Markdown Text

madhav_dholakia
Contributor

Hello,

I am creating a dashboard in Dashboard Studio and wanted to have just 3 timeranges available for a user:

Last Month ("-mon@mon" to "@mon")
Last to last Month ("-2mon@mon" to "-mon@mon")
Month to date ("@mon" to "@d")

I think I can get all these options in the default timerange input as well, but I do not want User to select anything other than these 3 options - and this is something I cannot prevent when using default timerange input (or at least I am not sure how do I do that, until and unless I create a separate user role with specific time ranges allowed, may be).

so as a work around, I have created a drop down with these 3 token labels and values are set in form of relative_time function, i.e.,

where tempDt>=relative_time(now(),"-mon@mon") and tempDt<relative_time(now(),"@mon")
where tempDt>=relative_time(now(),"@mon") and tempDt<relative_time(now(),"@d")
where tempDt>=relative_time(now(),"-2mon@mon") and tempDt<relative_time(now(),"-mon@mon")

in the main search (not available on demo dashboard definition shared here) I am using a variable tempDt and then one of the token value will filter data based on this tempDt.

index=abc earliest="-2mon@mon" 
```there exist a field called tempDt```
$timerange$

All this worked as expected - no issues. 

------------------------------------------------------------------------------------------------------------------------

Now, I also want to display Month Name in Dashboard Header (created using Markdown Text) based on Token Value, 

if Last Month then strftime(relative_time(now(),"-mon@mon"),"%b-%Y")
if Last to last month then strftime(relative_time(now(),"-2mon@mon"),"%b-%Y")
if Month To Date then strftime(relative_time(now(),"@mon"),"%b-%Y")

Please see below dashboard source code that I have tried but Markdown text is not populated with the Month Name - when I run the same search outside dashboard, it works ok.

{
	"visualizations": {
		"viz_q7o2tu52": {
			"type": "splunk.markdown",
			"options": {
				"markdown": "### **Monthly Service Review ($MD Search:result.month$)**"
			}
		}
	},
	"dataSources": {
		"ds_zBQAeHol": {
			"type": "ds.search",
			"options": {
				"enableSmartSources": true,
				"query": "| makeresults \n| eval temp=case(LIKE($timerange|s$,\"%-2mon@mon%\"),\"-2mon@mon\",LIKE($timerange|s$,\"%-mon@mon%\"),\"-mon@mon\",LIKE($timerange|s$,\"%@d%\"),\"@mon\",true(),\"@d\")\n| eval epoch=relative_time(now(),$temp$)\n| eval month=strftime(epoch,\"%b-%Y\")\n| table month",
				"queryParameters": {
					"earliest": "-24h@h",
					"latest": "now"
				}
			},
			"name": "MD Search"
		}
	},
	"defaults": {
		"dataSources": {
			"ds.search": {
				"options": {
					"queryParameters": {
						"latest": "$global_time.latest$",
						"earliest": "$global_time.earliest$"
					}
				}
			}
		}
	},
	"inputs": {
		"input_global_trp": {
			"options": {
				"items": [
					{
						"label": "Last Month",
						"value": "where tempDt>=relative_time(now(),\"-mon@mon\") and tempDt<relative_time(now(),\"@mon\")"
					},
					{
						"label": "Month to Date",
						"value": "where tempDt>=relative_time(now(),\"@mon\") and tempDt<relative_time(now(),\"@d\")"
					},
					{
						"label": "Last to last Month",
						"value": "where tempDt>=relative_time(now(),\"-2mon@mon\") and tempDt<relative_time(now(),\"-mon@mon\")"
					}
				],
				"defaultValue": "where tempDt>=relative_time(now(),\"-mon@mon\") and tempDt<relative_time(now(),\"@mon\")",
				"token": "timerange"
			},
			"title": "Time Range",
			"type": "input.dropdown"
		}
	},
	"layout": {
		"type": "absolute",
		"options": {
			"width": 1440,
			"height": 960,
			"display": "auto"
		},
		"structure": [
			{
				"item": "input_global_trp",
				"type": "input",
				"position": {
					"x": 640,
					"y": 130,
					"w": 198,
					"h": 82
				}
			},
			{
				"item": "viz_q7o2tu52",
				"type": "block",
				"position": {
					"x": 540,
					"y": 30,
					"w": 400,
					"h": 90
				}
			}
		],
		"globalInputs": []
	},
	"description": "",
	"title": "MD Markdown Token Test"
}

 

madhav_dholakia_0-1703135529815.png

Can you please help how can I achieve this?

Thank you.

Regards,

Madhav

Labels (2)
Tags (1)
0 Karma
1 Solution

madhav_dholakia
Contributor

Hi @VatsalJagani - 

In my data source, after making changes as below - this worked as expected.

This was suggested by Camden Marchetti in Slack Splunk Usergroup.

From:

| eval epoch=relative_time(now(),$temp$)

To:

| eval epoch=relative_time(now(),$$temp$$)

 
Thank you very much for your inputs on this as well as my other questions in this forum.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @madhav_dholakia ,

Unfortunately, Splunk Dashboard Studio does not support a full set of features for Tokens like Simple XML dashboards. So I doubt if something like this complex requirement can be implemented.

 

You can try creating last months static in the dropdown, and that may work I think like, and then manually update the dashboard every month.

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@madhav_dholakia - Did this resolve your query? If yes then please mark the answer as "Accepted" for other community users.

0 Karma

madhav_dholakia
Contributor

Hi @VatsalJagani - apologies for the delayes response. Yes, that static Month is already in place. I have got 35 dashboards having three different Time ranges available to select in the dropdown (Last Month, Last to Last Month, Month To Date) - so I am looking for the header to update based on the time range selected.

For example,

if I run this report today for "Last Month" - Report Title would be Monthly Report - Nov 2023 

if I run this report today for "Last to last Month" - Report Title would be Monthly Report - Oct 2023 

if I run this report today for "Month to date" - Report Title would be Monthly Report - Dec 2023 

Thank you.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@madhav_dholakia - Got it. I don't think that level of token manipulation is possible on Dashboard Studio.

You can try Simple XML for that.

 

I hope this helps!!~!

0 Karma

madhav_dholakia
Contributor

Hi @VatsalJagani - 

In my data source, after making changes as below - this worked as expected.

This was suggested by Camden Marchetti in Slack Splunk Usergroup.

From:

| eval epoch=relative_time(now(),$temp$)

To:

| eval epoch=relative_time(now(),$$temp$$)

 
Thank you very much for your inputs on this as well as my other questions in this forum.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...