Hi,
I am trying to create a dashboard that takes the details from the dropdown (input field) options and then dynamically updates searches.
Options in my dropdown list are also pulled dynamically through search query:
Sample query: sourcetype="sample"|eval env=case(match(host,"AB.*"),"Production", match(host,"ab.*"),"Production", match(host,"CD.*"),"Test", match(host,"cd.*"),"Test", match(host,"EF.*"),"Sales", match(host,"ef.*"),"Sales")
I am then passing token value "env" for the calculated field in "env" from above query to filter the searches. But the search doesn't seems to be changing based on the selection --- Production, Sales, or Test.
I have used dropdowns and tokens options before and they seemed to worked perfectly. But I am not sure if the match of multiple fields in the dropdown query creating a problem to filter the searches based on the selection by user.
Any help on this will be great.
Thanks.
I think I might see the problem, or a place to start troubleshooting. I created a similar dashboard to yours using different data and a very slightly modified query so that I could generate the input values. As pointed out here:
https://answers.splunk.com/answers/329960/duplicate-values-causing-conflict.html
I think there might be an issue with your field for label and field for value settings in the dropdown input. I was getting a "conflicting values" error until I made sure that the field was the same as the token ("env") that was getting set in the query. Here is the relevant part of my sample code that worked.
<fieldset>
<input type="time" searchWhenChanged="false">
<label>Select a time:</label>
<default>Last 24 hours</default>
</input>
<input type="dropdown" token="env" searchWhenChanged="false">
<label>Environment</label>
<fieldForLabel>env</fieldForLabel>
<fieldForValue>env</fieldForValue>
<search>
<query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
</search>
<default>Metrics</default>
</input>
<input type="text" token="type" searchWhenChanged="false">
<label>Request Type</label>
</input>
<input type="text" token="type2" searchWhenChanged="false">
<label>Company</label>
</input>
</fieldset>
Hope this helps!
The reason is your <fieldforvalue> should be strictly equal to your extracted filed value. And env may not be your extracted filed in your search query.
An old post, but I was just having a similar problem and found a possible work-around. I had a dropdown that was populated by a search, and did some filtering in another search based on the value of the dropdown. The code was simular to these snippets:
<form>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="filter" searchWhenChanged="true">
<showClearButton>false</showClearButton>
<label>Filter</label>
<fieldForLabel>filter</fieldForLabel>
<fieldForValue>filter</fieldForValue>
<search>
<query>| inputlookup my_filters</query>
<earliest>$timepicker.earliest$</earliest>
<latest>$timepicker.latest$</latest>
</search>
<default>$filter$</default>
<initialValue>value1</initialValue>
</input>
</fieldset>
<search id="base_search">
<query>index=some_index some_field=some_value</query>
<earliest>$timepicker.earliest$</earliest>
<latest>$timepicker.latest$</latest>
</search>
<search id="base_filters" base="base_search">
<query>| search filter="$filter$"</query>
</search>
</form>
The first time I changed the dropdown, the token and the search wasn't updated. If I changed it a second time, it did update, and any changes after that worked as expected.
As I have created some HTML dashboards as well, I knew about the default and submitted token model for HTML dashboards (http://dev.splunk.com/view/webframework-developapps/SP-CAAAEW2), and found this page: https://answers.splunk.com/answers/521964/how-to-reference-token-namespaces-in-simplexml.html
I then changed my search to use $default:filter$ instead of $filter$, and the search now updates the first time the dropdown is changed:
<search id="base_filters" base="base_search">
<query>| search filter="$default:filter$"</query>
</search>
I think I might see the problem, or a place to start troubleshooting. I created a similar dashboard to yours using different data and a very slightly modified query so that I could generate the input values. As pointed out here:
https://answers.splunk.com/answers/329960/duplicate-values-causing-conflict.html
I think there might be an issue with your field for label and field for value settings in the dropdown input. I was getting a "conflicting values" error until I made sure that the field was the same as the token ("env") that was getting set in the query. Here is the relevant part of my sample code that worked.
<fieldset>
<input type="time" searchWhenChanged="false">
<label>Select a time:</label>
<default>Last 24 hours</default>
</input>
<input type="dropdown" token="env" searchWhenChanged="false">
<label>Environment</label>
<fieldForLabel>env</fieldForLabel>
<fieldForValue>env</fieldForValue>
<search>
<query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
</search>
<default>Metrics</default>
</input>
<input type="text" token="type" searchWhenChanged="false">
<label>Request Type</label>
</input>
<input type="text" token="type2" searchWhenChanged="false">
<label>Company</label>
</input>
</fieldset>
Hope this helps!
Hi,
Thanks for the prompt response.
Sorry, probably I had pasted the incorrect XML. Following is in the XML. I am not getting any error related to duplicate values.
Can you share with me the XML code in which you are referring (or calling) "env" token?
<label>Environment</label>
<fieldForLabel>env</fieldForLabel>
<fieldForValue>env</fieldForValue>
<search>
<query>sourcetype="sample"|eval env=case(match(host,"AB.*"),"Production", match(host,"ab.*"),"Production", match(host,"CD.*"),"Test", match(host,"cd.*"),"Test", match(host,"EF.*"),"Sales", match(host,"ef.*"),"Sales") | dedup env | table env</query>
</search>
Thanks again.
Try setting "searchWhenChanged" to "true" in your dropdown to respond to a selection.
<input type="dropdown" token="env" searchWhenChanged="true">
<label>Environment</label>
<fieldForLabel>env</fieldForLabel>
<fieldForValue>env</fieldForValue>
<search>
<query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
</search>
<default>Metrics</default>
</input>
@bhumikajpatel, did this solve your dashboard issue? If so, please accept the answer. If not, please post an update. Thanks!
Hi,
No it didn't and I have tried every possible method to solve the problem.
The dropdown list works fine. But may be because of the dropdown values are searched dynamically or because the search string has match function the resultant sub search is not getting updated when value is selected from dropdown list.
I am not an expert with dashboards but is there any different way to use tokens for eval fields ? I am creating an eval field in the search query of my dropdown list.
Thanks.
Hi @bhumikajpatel,
Thanks for the update. Here are a couple of suggestions.
1) Have you tried changing "searchWhenChanged" to "true" in your other inputs?
2) I'm not clear on how the other panels are set up to respond to the "env" token being set. I'm also not sure how setting the other tokens ("type" and "type2") triggers changes to those panels.
Here are some documentation links that might help:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/tokens
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/FormEditor
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/Buildandeditforms
http://docs.splunk.com/Documentation/Splunk/6.5.1612/Viz/PanelreferenceforSimplifiedXML#condition_.2...
To get more in-depth troubleshooting and advice, I'd recommend contacting Support:
Customer support contact info:
http://www.splunk.com/view/contact-us/SP-CAAAHJ6
Thanks.
Let me try referring these documents.
Yes, I have tried setting searchWhenChanged to "true"
But it didn't work.
Hi,
I am not very sure what the problem was but I was able to fix this issue by making the dropdown list with static options instead of dynamic search.
And then appended the following query in the subsequent search queries to update the dashboard:
sourcetype="sample"|eval env=case(match(host,"AB.*"),"Production", match(host,"ab.*"),"Production", match(host,"CD.*"),"Test", match(host,"cd.*"),"Test", match(host,"EF.*"),"Sales", match(host,"ef.*"),"Sales") | where env = "$env$" | ... <>
"$env$" is the token created from static dropdown list.
With this workaround my dashboard is updating the data correctly.
Thanks for all your help
Ah, glad to hear you figured it out! Good work 🙂
Hi @bhumikajpatel,
Can you post your dashboard Simple XML source code? This would help with troubleshooting, as there might be an issue somewhere in the dashboard with how the other panels and searches are "listening" for this change.
Hi,
Thanks for the prompt response.
Below is the XML code. Please be noted that the one highlighted in bold is experimental... ()
Report
usage
<input type="time" searchWhenChanged="false">
<label>Select a time:</label>
<default>Last 24 hours</default>
</input>
<input type="dropdown" token="environment" searchWhenChanged="false">
<label>Environment</label>
<fieldForLabel>environment</fieldForLabel>
<fieldForValue>environment</fieldForValue>
<search>
<query>sourcetype="sample"|eval env=case(match(host,"AB.*"),"Production", match(host,"ab.*"),"Production", match(host,"CD.*"),"Test", match(host,"cd.*"),"Test", match(host,"EF.*"),"Sales", match(host,"ef.*"),"Sales") | dedup env | table env</query>
</search>
<default>Production</default>
</input>
<input type="text" token="type" searchWhenChanged="false">
<label>Request Type</label>
</input>
<input type="text" token="type2" searchWhenChanged="false">
<label>Company</label>
</input>
<panel depends="$env$">
<title></title>
<table>
<search>
<query>sourcetype="sample" $env$....</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<drilldown>
<!-- Use set to specify the new token to be created.
Use any token from the page or from the click event to produce the value needed. -->
<set token="type">$row.type$</set>
<!-- If we also set the form.sourcetype the input will get updated too -->
<set token="form.type">$row.type$</set>
</drilldown>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
**<panel depends="$type$,$env$">**
<title></title>
<table>
<search>
<query>sourcetype="perf_log_bizx" $env$|....</query>
<sampleRatio>1</sampleRatio>
</search>
<format type="color" field="field1">
<colorPalette type="list">[#FFFF99,#3CB371,#F08080]</colorPalette>
<scale type="threshold">2,6,10000</scale>
</format>
<format type="color" field="field2">
<colorPalette type="list">[#FFFF99,#3CB371,#F08080]</colorPalette>
<scale type="threshold">2,6,10000</scale>
</format>
<format type="number" field="field3">
<option name="precision">0</option>
<option name="useThousandSeparators">true</option>
</format>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<drilldown>
<!-- Use set to specify the new token to be created.
Use any token from the page or from the click event to produce the value needed. -->
<set token="type2">$row.type2$</set>
<!-- If we also set the form.sourcetype the input will get updated too -->
<set token="form.type2">$row.type2$</set>
</drilldown>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel depends="$type2$,$env$">
<title></title>
<table>
<search>
<query>sourcetype="perf_log_bizx" $env$|....</query>
<sampleRatio>1</sampleRatio>
</search>
<format type="color" field="field1)">
<colorPalette type="list">[#FFFF99,#3CB371,#F08080]</colorPalette>
<scale type="threshold">2,6,10000</scale>
</format>
<format type="color" field="field2">
<colorPalette type="list">[#FFFF99,#3CB371,#F08080]</colorPalette>
<scale type="threshold">2,6,10000</scale>
</format>
<format type="number" field="field3">
<option name="precision">0</option>
<option name="useThousandSeparators">true</option>
</format>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>