Dashboards & Visualizations

Splunk - how to modify Token based on the choice values from another Token?

shashankk
Communicator

Hello Team,

Please suggest how to modify Token based on the choice values from another Token?

Refer below requirement:

My requirement is to fetch the token="TimeSpan" value based on the selection of token="timefrom" and token="timeto"

And I want to use below formula:

TimeSpan = ($timeto$ - $timefrom$) * 60

For example: TimeSpan = (4 - 2)*60 = 120

<input type="dropdown" token="instance" searchWhenChanged="true">
<label>Instance</label>
<choice value="instance1">instance1</choice>
<choice value="instance2">instance2</choice>
<default>instance1</default>
<initialValue>instance1</initialValue>
</input>

<input type="dropdown" token="timefrom" searchWhenChanged="true">
<label>Time Range From (24 Hour)</label>
<choice value="1">01:00</choice>
<choice value="2">02:00</choice>
<choice value="3">03:00</choice>
<choice value="4">04:00</choice>
<choice value="5">05:00</choice>
<choice value="6">06:00</choice>
<choice value="7">07:00</choice>
<default>2</default>
<initialValue>2</initialValue>
</input>

<input type="dropdown" token="timeto" searchWhenChanged="true">
<label>Time Range To (24 Hour)</label>
<choice value="1">01:00</choice>
<choice value="2">02:00</choice>
<choice value="3">03:00</choice>
<choice value="4">04:00</choice>
<choice value="5">05:00</choice>
<choice value="6">06:00</choice>
<choice value="7">07:00</choice>
<default>4</default>
<initialValue>4</initialValue>
</input>

<input type="text" token="TimeSpan" searchWhenChanged="true">
<label>Interval (in min)</label>
<default></default>
</input>

@ITWhisperer@niketn 
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="instance" searchWhenChanged="true">
<label>Instance</label>
<choice value="instance1">instance1</choice>
<choice value="instance2">instance2</choice>
<default>instance1</default>
<initialValue>instance1</initialValue>
</input>

<input type="dropdown" token="timefrom" searchWhenChanged="false">
<label>Time Range From (24 Hour)</label>
<choice value="01">01:00</choice>
<! code omitted to make it shorted !>
<choice value="24">24:00</choice>
<default>02</default>
<initialValue>02</initialValue>
<change>
<eval token="TimeSpan">($timeto$ - $timefrom$) * 60</eval>
</change>
</input>

<input type="dropdown" token="timeto" searchWhenChanged="false">
<label>Time Range To (24 Hour)</label>
<choice value="01">01:00</choice>
<! code omitted to make it shorted !>
<choice value="24">24:00</choice>
<default>04</default>
<initialValue>04</initialValue>
<change>
<eval token="TimeSpan">($timeto$ - $timefrom$) * 60</eval>
</change>
</input>

</fieldset>

View solution in original post

shashankk
Communicator

I have tried out multiple options - but kind of stuck here. Please suggest, if there is any different way to achieve the same.

Getting error:
Invalid child="set" is not allowed in node="conditional-input-change"

Kindly suggest.

<input type="text" token="TimeSpan" searchWhenChanged="true">
<label>Interval (in mins)</label>
<change>
<condition>'$timeto$' != '' AND '$timefrom$' != ''</condition>
<set token="TimeSpan"=($timeto$ - $timefrom$) * 60</set>
</change>
</input>

@ITWhisperer  @niketn 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this (probably best to add to both timeto and timefrom inputs rather than having another timespan input)

<change>
<eval token="TimeSpan">($timeto$ - $timefrom$) * 60</eval>
</change>

shashankk
Communicator

@ITWhisperer - Thank you for your response! I tried the suggested approach, but don't see any change.

My Dashboard is having 4 input fields:

Instance | Time Range From (24 Hour) | Time Range To (24 Hour) | Interval (in mins) | Submit (button)

Interval (in mins) is a Text box. Expected output is the TimeSpan token should write the below calculated value in this field. And it should be disabled for any manual user inputs.

For Ex: TimeSpan = 120

Please suggest.

Refer below code snippet:

<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="instance" searchWhenChanged="true">
<label>Instance</label>
<choice value="instance1">instance1</choice>
<choice value="instance2">instance2</choice>
<default>instance1</default>
<initialValue>instance1</initialValue>
</input>

<input type="dropdown" token="timefrom" searchWhenChanged="false">
<label>Time Range From (24 Hour)</label>
<choice value="01">01:00</choice>
<! code omitted to make it shorted !>
<choice value="24">24:00</choice>
<default>02</default>
<initialValue>02</initialValue>
</input>

<input type="dropdown" token="timeto" searchWhenChanged="false">
<label>Time Range To (24 Hour)</label>
<choice value="01">01:00</choice>
<! code omitted to make it shorted !>
<choice value="24">24:00</choice>
<default>04</default>
<initialValue>04</initialValue>
</input>

<input type="text" token="TimeSpan">
<label>Interval (in mins)</label>
<change>
<eval token="TimeSpan">($timeto$ - $timefrom$) * 60</eval>
</change>
</input>

</fieldset>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK I misunderstood what you were trying to do with TimeSpan. If you have an input for the number of minutes, why can't you just use that token in your search?

| timechart span=$TimeSpan$m ...

shashankk
Communicator

@ITWhisperer 

This doesn't solve my problem. (| timechart span=$TimeSpan$m

I want "timechart span" should be dynamically selected based on the User inputs for the Time Range (i.e. timeto and timefrom). 

So given that timeto and timefrom are tokens, I want to set up another token when these tokens are set which equates to the value I want in TimeSpan.

TimeSpan = ($timeto$ - $timefrom$) * 60

Note: Additionally, I want to keep TimeSpan field as hidden or disabled for any manual entry by the user.

I hope it is clarified now, kindly suggest how this can be achieved?

OR the 2nd option:
Do we have any way to pass this value as variable/attribute to the "timechart span" in the query itself? I have tried out the below approach, but it doesn't work.

| eval TimeSpan= ($timeto$ - $timefrom$) * 60
timechart span=$TimeSpan$m aligntime=earliest count(eval(searchmatch("sent"))) as HotCount by TestMQ
| where tonumber(strftime(_time, "%H")) >= $timefrom$ AND tonumber(strftime(_time, "%H")) <= $timeto$

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK when you said my previous suggestion didn't work, exactly how did you implement it?

shashankk
Communicator

@ITWhisperer 

Your previous suggestion (timechart span=$TimeSpan$m) works fine if the User enters the token value manually.

My requirement is to fetch the TimeSpan value dynamically on the basis of Time Range selection by the User.

I hope it clarifies now.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

My previous suggestion was:

Try something like this (probably best to add to both timeto and timefrom inputs rather than having another timespan input)

<change>
<eval token="TimeSpan">($timeto$ - $timefrom$) * 60</eval>
</change>

How did you implement this?

shashankk
Communicator

@ITWhisperer - I tried this suggested approach, but don't see any change in the TimeSpan field. The value is not getting populated in the Text box. 

For Example:
TimeFrom: 2
TimeTo: 4
TimeSpan = (4 -2)*60 = 120

I am getting below error:

"Error in 'timechart' command: The value for option span (nullm) is invalid. When span is expressed using a sub-second unit (ds, cs, ms, us), the span value needs to be < 1 second, and 1 second must be evenly divisible by the span value."

| timechart span=nullm aligntime=earliest count(eval(searchmatch("sent"))) as HotPutCount by HotScanMQ


And there is no value getting set into the TimeSpan text box on the dashboard. 

Refer below code snippet used:

<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="instance" searchWhenChanged="true">
<label>Instance</label>
<choice value="instance1">instance1</choice>
<choice value="instance2">instance2</choice>
<default>instance1</default>
<initialValue>instance1</initialValue>
</input>

<input type="dropdown" token="timefrom" searchWhenChanged="false">
<label>Time Range From (24 Hour)</label>
<choice value="01">01:00</choice>
<! code omitted to make it shorted !>
<choice value="24">24:00</choice>
<default>02</default>
<initialValue>02</initialValue>
</input>

<input type="dropdown" token="timeto" searchWhenChanged="false">
<label>Time Range To (24 Hour)</label>
<choice value="01">01:00</choice>
<! code omitted to make it shorted !>
<choice value="24">24:00</choice>
<default>04</default>
<initialValue>04</initialValue>
</input>

<input type="text" token="TimeSpan">
<label>Interval (in mins)</label>
<change>
<eval token="TimeSpan">($timeto$ - $timefrom$) * 60</eval>
</change>
</input>

</fieldset>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, when I said "best to add to both timeto and timefrom inputs rather than having another timespan input", why didn't you try that?

shashankk
Communicator

@ITWhisperer - Thank you for your kind response.

Can you please help elaborate more as I could not understand it properly what you are trying to convey here? "best to add to both timeto and timefrom inputs rather than having another timespan input"

How do I go about this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="instance" searchWhenChanged="true">
<label>Instance</label>
<choice value="instance1">instance1</choice>
<choice value="instance2">instance2</choice>
<default>instance1</default>
<initialValue>instance1</initialValue>
</input>

<input type="dropdown" token="timefrom" searchWhenChanged="false">
<label>Time Range From (24 Hour)</label>
<choice value="01">01:00</choice>
<! code omitted to make it shorted !>
<choice value="24">24:00</choice>
<default>02</default>
<initialValue>02</initialValue>
<change>
<eval token="TimeSpan">($timeto$ - $timefrom$) * 60</eval>
</change>
</input>

<input type="dropdown" token="timeto" searchWhenChanged="false">
<label>Time Range To (24 Hour)</label>
<choice value="01">01:00</choice>
<! code omitted to make it shorted !>
<choice value="24">24:00</choice>
<default>04</default>
<initialValue>04</initialValue>
<change>
<eval token="TimeSpan">($timeto$ - $timefrom$) * 60</eval>
</change>
</input>

</fieldset>

astockmeister_s
Explorer

Is there a way do do this in Dashboard Studio JSON configuratino?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There are still a number of features and capabilities that Classic Dashboards have that a lacking in Studio. Personally, I only use Studio for simple, non-production dashboards.

0 Karma

shashankk
Communicator

@ITWhisperer  Thank you for your great help! 🙂
This works fine now. The only modification which I did is below:

Removed the below Submit button:
<fieldset submitButton="true" autoRun="true">

And enabled searchWhenChanged="true" for below:
<input type="dropdown" token="timefrom" searchWhenChanged="false">
<input type="dropdown" token="timeto" searchWhenChanged="false">

0 Karma

shashankk
Communicator

I have tried out below options, but getting error.

Please suggest.

node <dependency> is not allowed here.

node <search> is not allowed here.
node <query> is not allowed here.


Option 1:
<input type="text" token="TimeSpan" searchWhenChanged="true">
<label>Interval (in min)</label>
<default></default>
<dependency type="value" token="timefrom">
<condition>greater</condition>
<value>0</value>
</dependency>
<dependency type="value" token="timeto">
<condition>greater</condition>
<value>0</value>
</dependency>
<value>
<eval token="TimeSpan">("$timeto$" - "$timefrom$") * 60</eval>
</value>
</input>

Option 2:

<search id="calculateTimeSpan">
<query>
| makeresults
| eval TimeSpan = (tonumber('$timeto$') - tonumber('$timefrom$')) * 60
| fields - _time
</query>
</search>

@ITWhisperer  @niketn 

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...