Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

conditional based query

lping
Explorer
‎07-09-2020 04:55 AM

I am passing token "host_tok" from dashboardA to dashboardB

Now I am trying to set the query based on token passed

XML for Dashboard B as below:
================

<dashboard>
   <label>Consul Level 2 Errors</label>
   <description>Gives stats on ERRORS</description>
   <row>
      <panel>
         <single>
            <title>Number of Errors in last 5 minutes</title>
            <search>
               <init>
                  <condition match="$host_tok$==&quot;consul_client&quot;">
                     <set token="Panel1">host!=*consul* OR servername!=*consul* earliest=-5m sourcetype=consul_log index=hcm_consul "[ERROR]" NOT ("rpc error making call: rpc error making call: Permission denied" OR "rpc error making call: Permission denied" OR "Newer Consul version available") | eval SEARCH_CRITERIA=case(like(_raw, "%Push/Pull with%"), "Push/Pull Error", like(_raw, "%Failed fallback ping%"), "Failed fallback ping Error", like(_raw, "%connection reset by peer%"), "Connection reset by peer Error", like(_raw, "%keepalive timeout%"), "Keepalive Timeout Error", like(_raw, "%i/o timeout%"), "I/O Timeout Error", like(_raw, "%lead thread didn't get connection%"), "Lead thread didn't get connection Error", like(_raw, "%failed to get conn: EOF%"), "Failed to get conn: EOF Error", like(_raw, "%rpc error making call: EOF%"), "RPC error making call: EOF Error", like(_raw, "%Permission denied%"), "Permission denied Error", like(_raw, "%Timeout exceeded while awaiting headers%"), "Timeout exceeded while awaiting headers Error", true(), "Other Error")| stats count by SEARCH_CRITERIA</set>
                  </condition>
                  <condition match="$host_tok$==&quot;consul_server&quot;">
                     <set token="Panel1">host=*consul* OR servername=*consul* earliest=-5m sourcetype=consul_log index=hcm_consul "[ERROR]" NOT ("rpc error making call: rpc error making call: Permission denied" OR "rpc error making call: Permission denied" OR "Newer Consul version available") | eval SEARCH_CRITERIA=case(like(_raw, "%Push/Pull with%"), "Push/Pull Error", like(_raw, "%Failed fallback ping%"), "Failed fallback ping Error", like(_raw, "%connection reset by peer%"), "Connection reset by peer Error", like(_raw, "%keepalive timeout%"), "Keepalive Timeout Error", like(_raw, "%i/o timeout%"), "I/O Timeout Error", like(_raw, "%lead thread didn't get connection%"), "Lead thread didn't get connection Error", like(_raw, "%failed to get conn: EOF%"), "Failed to get conn: EOF Error", like(_raw, "%rpc error making call: EOF%"), "RPC error making call: EOF Error", like(_raw, "%Permission denied%"), "Permission denied Error", like(_raw, "%Timeout exceeded while awaiting headers%"), "Timeout exceeded while awaiting headers Error", true(), "Other Error")| stats count by SEARCH_CRITERIA</set>
                  </condition>
               </init>
               <query>$Panel1$</query>
               <earliest>$earliest$</earliest>
               <latest>$latest$</latest>
               <refresh>1m</refresh>
               <refreshType>delay</refreshType>
            </search>
            <option name="count">10</option>
            <option name="drilldown">cell</option>
         </single>
      </panel>
   </row>
   <row>
      <panel>
         <chart>
            <title>Error's Trendline for Nodes in last 60 minutes</title>
            <search>
               <query>$Panel2$</query>
               <earliest>-60m@m</earliest>
               <latest>now</latest>
               <refresh>1m</refresh>
            </search>
            <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
            <option name="charting.chart">line</option>
         </chart>
      </panel>
   </row>
</dashboard>

================

I am unable to get data its keep saying waiting for input.

Can you suggest how I can achieve two different queries based on token passed?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-13-2020 10:24 AM

@lping when you are trying to pass value from one dashboard to other you have to use form based URL tokens so instead of using host_tok use form.host_tok.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎07-09-2020 12:15 PM

@lping  Based on your example seems like host_tok token value from source dashboard can only have two values i.e. consul_client or consul_server. In the destination dashboard if you do not want users to change this value have a hidden input consume the token and set required SPL accordingly. I have used a dropdown in the following example.

PS: search event handlers can be <done>, <progress>, <fail>, <error> or <cancelled>. The <init> section is only for Dashboard load. Having said these you actually need an input and code <change> event handler.

I dont know from where you are getting $earliest$ and $latest$ for one of your panel while the other panel Search uses static time. If these tokens are also coming from the source dashboard's drilldown, you would need to create a time input as well and set the default value accordingly.

Please try out and confirm the following example based on your question:

<form>
  <label>Conditional Token</label>
  <description>Gives stats on ERRORS</description>
  <fieldset submitButton="false">
    <input depends="$alwaysHide$" type="dropdown" token="host_tok" searchWhenChanged="true">
      <label></label>
      <change>
        <condition value="consul_client">
          <set token="Panel1">host!=*consul* OR servername!=*consul* earliest=-5m sourcetype=consul_log index=hcm_consul "[ERROR]" NOT ("rpc error making call: rpc error making call: Permission denied" OR "rpc error making call: Permission denied" OR "Newer Consul version available") | eval SEARCH_CRITERIA=case(like(_raw, "%Push/Pull with%"), "Push/Pull Error", like(_raw, "%Failed fallback ping%"), "Failed fallback ping Error", like(_raw, "%connection reset by peer%"), "Connection reset by peer Error", like(_raw, "%keepalive timeout%"), "Keepalive Timeout Error", like(_raw, "%i/o timeout%"), "I/O Timeout Error", like(_raw, "%lead thread didn't get connection%"), "Lead thread didn't get connection Error", like(_raw, "%failed to get conn: EOF%"), "Failed to get conn: EOF Error", like(_raw, "%rpc error making call: EOF%"), "RPC error making call: EOF Error", like(_raw, "%Permission denied%"), "Permission denied Error", like(_raw, "%Timeout exceeded while awaiting headers%"), "Timeout exceeded while awaiting headers Error", true(), "Other Error")| stats count by SEARCH_CRITERIA</set>
          <set token="Panel2">| gentimes start=-10 
| eval _time=starttime 
| fields _time
| eval client=random()</set>
        </condition>
        <condition value="consul_server">
          <set token="Panel1">host=*consul* OR servername=*consul* earliest=-5m sourcetype=consul_log index=hcm_consul "[ERROR]" NOT ("rpc error making call: rpc error making call: Permission denied" OR "rpc error making call: Permission denied" OR "Newer Consul version available") | eval SEARCH_CRITERIA=case(like(_raw, "%Push/Pull with%"), "Push/Pull Error", like(_raw, "%Failed fallback ping%"), "Failed fallback ping Error", like(_raw, "%connection reset by peer%"), "Connection reset by peer Error", like(_raw, "%keepalive timeout%"), "Keepalive Timeout Error", like(_raw, "%i/o timeout%"), "I/O Timeout Error", like(_raw, "%lead thread didn't get connection%"), "Lead thread didn't get connection Error", like(_raw, "%failed to get conn: EOF%"), "Failed to get conn: EOF Error", like(_raw, "%rpc error making call: EOF%"), "RPC error making call: EOF Error", like(_raw, "%Permission denied%"), "Permission denied Error", like(_raw, "%Timeout exceeded while awaiting headers%"), "Timeout exceeded while awaiting headers Error", true(), "Other Error")| stats count by SEARCH_CRITERIA</set>
          <set token="Panel2">| gentimes start=-10 
| eval _time=starttime 
| fields _time
| eval server=random()</set>
        </condition>
      </change>
      <choice value="consul_client">Client</choice>
      <choice value="consul_server">Server</choice>
      <default>consul_client</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Number of Errors in last 5 minutes</title>
        <search>
          <query>$Panel1$</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Error's Trendline for Nodes in last 60 minutes</title>
        <search>
          <query>$Panel2$</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <refresh>1m</refresh>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
  </row>
</form>

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

lping
Explorer
‎07-13-2020 09:55 AM

Hi @niketn ,

Thanks for your reply.

I tried the solution you have proposed and is close enough but only issue is when I click from Dashboard 1 my host_tok is been passed as 
https://xyz.com/en-US/app/search/consul_level2_errors_test?host_tok="consul_server"&form.host_tok=
along with additional form.host_tok which cant be defaulted to any value.

Basically my second dashboard need to consume host_tok and based on that it need to run the query set under condition tag.

Hope you can help me in fixing this issue.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-13-2020 10:24 AM

@lping when you are trying to pass value from one dashboard to other you have to use form based URL tokens so instead of using host_tok use form.host_tok.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

lping
Explorer
‎07-14-2020 01:10 AM

Thanks for your help @niketn  It works perfectly.

Reply
Solved! Jump to solution

niketn
Legend
‎07-14-2020 11:44 AM

@lping you should have accepted the previous elaborate answer, as that covered the solution for the issue posted. However, do upvote the comments / answers that assisted resolving your issue!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...