Solved: Re: Taking a numerical text input for dashboard to...

AshimaE · ‎06-14-2017

Hello.
I have achieved result table using sort on a parameter. Here I am directly giving the top 20 highest results.

index=a sourcetype=b host=* earliest=-6h | sort 0 host time| streamstats current=f window=1 values(du) as prevdu by host |where isnotnull(prevdu) |eval useddiff = du - prevdu | eval velo = useddiff/15 | stats avg(velo) by host| table host avg(velo) | rename avg(velo) as velocity | sort -velocity | head 20

Now the task that I want to achieve is that for an text input field I want to read the input as a number and set this as a threshold and only display the top 20 results crossing the threshold only.
I had tried

index=a sourcetype=b host=* earliest=-6h | sort 0 host time | streamstats current=f window=1 values(du) as prevdu by host |where isnotnull(prevdu) |eval useddiff = du - prevdu | eval velo = useddiff/15 | stats avg(velo) by host| table host avg(velo) | rename avg(velo) as velocity | convert num($myinput$) as vthold | where velocity >= vthold |sort -velocity | head 20

But this is not narrowing down the results. I suspet that is because Splunk is reading it as a text. Any suggestions how I could achieve the same.

niketn · ‎06-14-2017

@AshimaE, like @yuanliu mentioned, you should be able to use numeric comparison directly from numeric value passed on from the text box. There is not need for convert the same.

Following is a run anywhere search which performs digit validation on textbox (you can write more specific JavaScript Regular Expression as per your needs). The token tokVelThold to be used in search gets set only when all characters entered in Text Box are digits, otherwise the Search Panel remains hidden since the token is not set.

  <fieldset submitButton="false">
    <input type="text" token="selVelThold">
      <label>Add threshold</label>
      <change>
          <eval token="tokVelThold">case(match(value, &quot;^[0-9]+$&quot;), $value$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokVelThold: $tokVelThold$</title>
      <table depends="$tokVelThold$">
        <search>
          <query>| makeresults
| eval velocity=1000
| eval vthold=$tokVelThold$
| where velocity &gt;= vthold 
| sort -velocity
| head 20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

Alternatively you can also pass all values from the Text Box to the token and default the the value to 0 in case it is not number through

| eval velThold=$selVelThold$ 
| eval velThold=case(isnum(velThold),velThold,true(),0)
| where velocity &gt;= vthold 
| sort -velocity
| head 20

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎06-14-2017

@AshimaE, like @yuanliu mentioned, you should be able to use numeric comparison directly from numeric value passed on from the text box. There is not need for convert the same.

Following is a run anywhere search which performs digit validation on textbox (you can write more specific JavaScript Regular Expression as per your needs). The token tokVelThold to be used in search gets set only when all characters entered in Text Box are digits, otherwise the Search Panel remains hidden since the token is not set.

  <fieldset submitButton="false">
    <input type="text" token="selVelThold">
      <label>Add threshold</label>
      <change>
          <eval token="tokVelThold">case(match(value, &quot;^[0-9]+$&quot;), $value$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokVelThold: $tokVelThold$</title>
      <table depends="$tokVelThold$">
        <search>
          <query>| makeresults
| eval velocity=1000
| eval vthold=$tokVelThold$
| where velocity &gt;= vthold 
| sort -velocity
| head 20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

Alternatively you can also pass all values from the Text Box to the token and default the the value to 0 in case it is not number through

| eval velThold=$selVelThold$ 
| eval velThold=case(isnum(velThold),velThold,true(),0)
| where velocity &gt;= vthold 
| sort -velocity
| head 20

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

AshimaE · ‎06-15-2017

The alternative worked well for the case. Thanks a lot.

niketn · ‎06-15-2017

Hi @AshimaE, I have converted my comment to Answer, please Accept if it helped. In the Regular Expression you can handle decimal as well (if you want to perform floating number validation).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

yuanliu · ‎06-14-2017

If values in $myinput$ can be interpreted as numbers, it will be used as a number. Have you tried'| where velocity >=$myinput$ instead? There should be no convert needed.

AshimaE · ‎06-14-2017

Yes I did try that. No narrowing down was there.. Also I need to consider decimal point numbers as my input as well.

Taking a numerical text input for dashboard to narrow down results

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!