Dashboards & Visualizations

Table dynamic datasource

kemeris
Engager
 I have drop-down named "Program" and Table with static datasource "ds_EHYzbg0g". How to define dataSource for Table dynamically based on value from drop-down "Program"?
 

 

 

{
    "options": {
        "items": [
            {
                "label": "All",
                "value": "*"
            }
        ],
        "defaultValue": "*",
        "token": "select_program"
    },
    "dataSources": {
        "primary": "ds_8xyubP1c"
    },
    "title": "Program",
    "type": "input.dropdown"
}

{
    "type": "splunk.table",
    "options": {
        "tableFormat": {
            "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByTheme)"
        },
        "columnFormat": {
            "_raw": {
                "data": "> table | seriesByName(\"_raw\") | formatByType(_rawColumnFormatEditorConfig)"
            }
        },
        "count": 50
    },
    "dataSources": {
        "primary": "ds_EHYzbg0g"
    },
    "context": {
        "_rawColumnFormatEditorConfig": {
            "string": {
                "unitPosition": "after"
            }
        }
    },
    "showProgressBar": true,
    "containerOptions": {},
    "showLastUpdated": false
}

 

 

Labels (2)
0 Karma
1 Solution

livehybrid
SplunkTrust
SplunkTrust

Hi @kemeris 

Ive been having a play around with this, the only way I can make this work is using Saved Searches, as follows:

Create saved searches for each platform in a format such as "MySearch - $platform$" (e.g. MySearch - Amazon)

Create a dropdown with multiple options, each of which the value is set to the name of your saved searches (e.g. Name: Amazon, Value: MySearch - Amazon). Assume the name of your Dropdown is "ds_token"

Create a base search in dashboard studio with the following search:

| savedsearch $ds_token|s$

The |s (Pipe "S") will enclose the name in quotes.

This will then load your saved search with the name set in the value of the dropdown when selected.

You can use this search throughout your dashboard, or chain additional searches as required.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

View solution in original post

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @kemeris 

Are the program you want to filter by in the data source? Or do you need to load a completely different data source depending on the dropdown selection?

Assuming you want to apply a filter to the search based on the dropdown value you would do something like this:

index=yourData platform=$platform$

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma

kemeris
Engager

Thank you for you reply. I need completely different data source for Table depending on the dropdown selection.

If value selected in dropdown is equal to "caddy", set Table datasouce to "ds_EHYzbg0g", if value is "nginx", set Table datasouce to "ds_8xyubP1c":

 

"ds_EHYzbg0g":

{
    "type": "ds.search",
    "options": {
        "query": "host=\"$select_hosts$\" program=\"$select_program$\" priority=\"$select_log_leel$\" | fields host,program,sourceip"
    },
    "name": "logs_program_caddy"
}

 

 

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @kemeris 

Ive been having a play around with this, the only way I can make this work is using Saved Searches, as follows:

Create saved searches for each platform in a format such as "MySearch - $platform$" (e.g. MySearch - Amazon)

Create a dropdown with multiple options, each of which the value is set to the name of your saved searches (e.g. Name: Amazon, Value: MySearch - Amazon). Assume the name of your Dropdown is "ds_token"

Create a base search in dashboard studio with the following search:

| savedsearch $ds_token|s$

The |s (Pipe "S") will enclose the name in quotes.

This will then load your saved search with the name set in the value of the dropdown when selected.

You can use this search throughout your dashboard, or chain additional searches as required.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma

kemeris
Engager

@livehybrid 

 

thank you, your solution almost works.

I have saved search "dashboard_linux_logs_table_caddy":

host="$select_hosts$" program="$select_daemon$" priority="$select_log_level$" | fields _time,program

 

And Dashboard Studio DataSource:

 

    "dataSources": {
        "ds_dashboard_linux_logs_table": {
            "type": "ds.search",
            "options": {
                "query": "| savedsearch \"dashboard_linux_logs_table_$select_daemon$\" select_hosts=\"$select_hosts$\" select_daemon=\"$select_daemon$\" select_log_level=\"$select_log_level$\""
            },
            "name": "dashboard_linux_logs_table"
        }
}

 

When changing drop-down value (token: select_daemon), table does pick up right savedsearch. The only problem query parameter "| fields _time,program" of savedsearch is ignored. Still looking for solution.

0 Karma

kemeris
Engager

replaced

| fields _time,program

with

| table _time,program

and everything is working as expected. I really appreciate you help @livehybrid!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...