Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Dashboard Studio - Markdown Text

madhav_dholakia
Contributor
‎12-20-2023 09:13 PM

Hello,

I am creating a dashboard in Dashboard Studio and wanted to have just 3 timeranges available for a user:

Last Month ("-mon@mon" to "@mon")
Last to last Month ("-2mon@mon" to "-mon@mon")
Month to date ("@mon" to "@d")

I think I can get all these options in the default timerange input as well, but I do not want User to select anything other than these 3 options - and this is something I cannot prevent when using default timerange input (or at least I am not sure how do I do that, until and unless I create a separate user role with specific time ranges allowed, may be).

so as a work around, I have created a drop down with these 3 token labels and values are set in form of relative_time function, i.e.,

where tempDt>=relative_time(now(),"-mon@mon") and tempDt<relative_time(now(),"@mon")
where tempDt>=relative_time(now(),"@mon") and tempDt<relative_time(now(),"@d")
where tempDt>=relative_time(now(),"-2mon@mon") and tempDt<relative_time(now(),"-mon@mon")

in the main search (not available on demo dashboard definition shared here) I am using a variable tempDt and then one of the token value will filter data based on this tempDt.

index=abc earliest="-2mon@mon" 
```there exist a field called tempDt```
$timerange$

All this worked as expected - no issues. 

------------------------------------------------------------------------------------------------------------------------

Now, I also want to display Month Name in Dashboard Header (created using Markdown Text) based on Token Value, 

if Last Month then strftime(relative_time(now(),"-mon@mon"),"%b-%Y")
if Last to last month then strftime(relative_time(now(),"-2mon@mon"),"%b-%Y")
if Month To Date then strftime(relative_time(now(),"@mon"),"%b-%Y")

Please see below dashboard source code that I have tried but Markdown text is not populated with the Month Name - when I run the same search outside dashboard, it works ok.

{
	"visualizations": {
		"viz_q7o2tu52": {
			"type": "splunk.markdown",
			"options": {
				"markdown": "### **Monthly Service Review ($MD Search:result.month$)**"
			}
		}
	},
	"dataSources": {
		"ds_zBQAeHol": {
			"type": "ds.search",
			"options": {
				"enableSmartSources": true,
				"query": "| makeresults \n| eval temp=case(LIKE($timerange|s$,\"%-2mon@mon%\"),\"-2mon@mon\",LIKE($timerange|s$,\"%-mon@mon%\"),\"-mon@mon\",LIKE($timerange|s$,\"%@d%\"),\"@mon\",true(),\"@d\")\n| eval epoch=relative_time(now(),$temp$)\n| eval month=strftime(epoch,\"%b-%Y\")\n| table month",
				"queryParameters": {
					"earliest": "-24h@h",
					"latest": "now"
				}
			},
			"name": "MD Search"
		}
	},
	"defaults": {
		"dataSources": {
			"ds.search": {
				"options": {
					"queryParameters": {
						"latest": "$global_time.latest$",
						"earliest": "$global_time.earliest$"
					}
				}
			}
		}
	},
	"inputs": {
		"input_global_trp": {
			"options": {
				"items": [
					{
						"label": "Last Month",
						"value": "where tempDt>=relative_time(now(),\"-mon@mon\") and tempDt<relative_time(now(),\"@mon\")"
					},
					{
						"label": "Month to Date",
						"value": "where tempDt>=relative_time(now(),\"@mon\") and tempDt<relative_time(now(),\"@d\")"
					},
					{
						"label": "Last to last Month",
						"value": "where tempDt>=relative_time(now(),\"-2mon@mon\") and tempDt<relative_time(now(),\"-mon@mon\")"
					}
				],
				"defaultValue": "where tempDt>=relative_time(now(),\"-mon@mon\") and tempDt<relative_time(now(),\"@mon\")",
				"token": "timerange"
			},
			"title": "Time Range",
			"type": "input.dropdown"
		}
	},
	"layout": {
		"type": "absolute",
		"options": {
			"width": 1440,
			"height": 960,
			"display": "auto"
		},
		"structure": [
			{
				"item": "input_global_trp",
				"type": "input",
				"position": {
					"x": 640,
					"y": 130,
					"w": 198,
					"h": 82
				}
			},
			{
				"item": "viz_q7o2tu52",
				"type": "block",
				"position": {
					"x": 540,
					"y": 30,
					"w": 400,
					"h": 90
				}
			}
		],
		"globalInputs": []
	},
	"description": "",
	"title": "MD Markdown Token Test"
}

 

madhav_dholakia_0-1703135529815.png

Can you please help how can I achieve this?

Thank you.

Regards,

Madhav

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

madhav_dholakia
Contributor
‎01-03-2024 08:31 AM

Hi @VatsalJagani - 

In my data source, after making changes as below - this worked as expected.

This was suggested by Camden Marchetti in Slack Splunk Usergroup.

From:

| eval epoch=relative_time(now(),$temp$)

To:

| eval epoch=relative_time(now(),$$temp$$)

 
Thank you very much for your inputs on this as well as my other questions in this forum.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎12-24-2023 09:02 PM

Hi @madhav_dholakia ,

Unfortunately, Splunk Dashboard Studio does not support a full set of features for Tokens like Simple XML dashboards. So I doubt if something like this complex requirement can be implemented.

 

You can try creating last months static in the dropdown, and that may work I think like, and then manually update the dashboard every month.

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎12-27-2023 03:51 AM

@madhav_dholakia - Did this resolve your query? If yes then please mark the answer as "Accepted" for other community users.

0 Karma
Reply
Solved! Jump to solution

madhav_dholakia
Contributor
‎12-27-2023 10:14 PM

Hi @VatsalJagani - apologies for the delayes response. Yes, that static Month is already in place. I have got 35 dashboards having three different Time ranges available to select in the dropdown (Last Month, Last to Last Month, Month To Date) - so I am looking for the header to update based on the time range selected.

For example,

if I run this report today for "Last Month" - Report Title would be Monthly Report - Nov 2023 

if I run this report today for "Last to last Month" - Report Title would be Monthly Report - Oct 2023 

if I run this report today for "Month to date" - Report Title would be Monthly Report - Dec 2023 

Thank you.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎12-28-2023 05:16 AM

@madhav_dholakia - Got it. I don't think that level of token manipulation is possible on Dashboard Studio.

You can try Simple XML for that.

 

I hope this helps!!~!

0 Karma
Reply
Solved! Jump to solution
Solution

madhav_dholakia
Contributor
‎01-03-2024 08:31 AM

Hi @VatsalJagani - 

In my data source, after making changes as below - this worked as expected.

This was suggested by Camden Marchetti in Slack Splunk Usergroup.

From:

| eval epoch=relative_time(now(),$temp$)

To:

| eval epoch=relative_time(now(),$$temp$$)

 
Thank you very much for your inputs on this as well as my other questions in this forum.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...