Dashboards & Visualizations
Highlighted

Summary Index token drop down help

Explorer

Hi Team,

My current configs has drop down with one token , 3 choice value and 1 search query below.

$apicachedrealtime_token$ is replaced by choice value as per 3 dropdown(All, RealTime, Cached )
Below is original code:

  <input type="dropdown" token="api_cached_realtime_token" searchWhenChanged="true">
    <label>Type</label>
    <choice value="apiActualTimeTaken">All</choice>
    <choice value="realTime_timeTaken">RealTime</choice>
    <choice value="cached_timeTaken">Cached</choice>
    <default>apiActualTimeTaken</default>
    <initialValue>apiActualTimeTaken</initialValue>
  </input>
  <chart>
    <search>
      <query>index=mysupport_core sourcetype=mysupport_app_log event=ApiSummaryEvent api=LinkingToolController.linkProduct  apiStatus=* | timechart span=1h avg($api_cached_realtime_token$) as AVG, P95($api_cached_realtime_token$) as P95</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="charting.chart">line</option>
    <option name="charting.drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </chart>
</panel>

Now I am moving into summary index.

summaryindex is = mysummary_index I am writing all the above into summary index by using search query below.

index=mysupport_core sourcetype=mysupport_app_log event=ApiSummaryEvent api=LinkingToolController.linkProduct apiStatus=* | stats avg(apiActualTimeTaken) as AVG_Actual avg(realTime_timeTaken) as AVG_real avg(cached_timeTaken) as AVG_cached P95(apiActualTimeTaken) as P95_Actual P95(realTime_timeTaken) as P95_real P95(cached_timeTaken) as P95_cached

Pls help me achieve same with 3 dropdown (All, RealTime, Cached ) that output search for respective drop-down. (one-token-multiple value-perhaps)
index=mysummaryindex | stats sum(AVGActual or AVGreal or AVGcached ) as AVG sum(P95Actual or P95real or P95cached) as per dropdown(All, RealTime, Cached ) respectively.

I tried This article helped a bit but could not achieve yet.

https://answers.splunk.com/answers/525245/how-to-pass-multiple-values-for-a-field-through-to-1.html

0 Karma
Highlighted

Re: Summary Index token drop down help

Ultra Champion
<form>
  <fieldset submitButton="false">
    <input type="dropdown" token="api_cached_realtime_token" searchWhenChanged="true">
      <label>Type</label>
      <change>
        <eval token="api_test1">mvindex(split($api_cached_realtime_token$,","),0)</eval>
        <eval token="api_test2">mvindex(split($api_cached_realtime_token$,","),1)</eval>
      </change>
      <fieldForLabel>column</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="All,RealTime,Cached
AVG_Actual,AVG_real,AVG_cached
P95_Actual,P95_real,P95_cached"
| multikv forceheader=1
| table All RealTime Cached
| transpose
| eval value=mvzip('row 1','row 2')
| table column value</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>1: $api_cached_realtime_token$<br/>2: $api_test1$<br/>3: $api_test2$</h1>
      </html>
    </panel>
  </row>

Hi, @harkirat9712
I made the token appropriately, so if you can fix it.

View solution in original post

0 Karma