Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

conditional based query

lping
Explorer
‎07-09-2020 04:55 AM

I am passing token "host_tok" from dashboardA to dashboardB

Now I am trying to set the query based on token passed

XML for Dashboard B as below:
================

<dashboard>
   <label>Consul Level 2 Errors</label>
   <description>Gives stats on ERRORS</description>
   <row>
      <panel>
         <single>
            <title>Number of Errors in last 5 minutes</title>
            <search>
               <init>
                  <condition match="$host_tok$==&quot;consul_client&quot;">
                     <set token="Panel1">host!=*consul* OR servername!=*consul* earliest=-5m sourcetype=consul_log index=hcm_consul "[ERROR]" NOT ("rpc error making call: rpc error making call: Permission denied" OR "rpc error making call: Permission denied" OR "Newer Consul version available") | eval SEARCH_CRITERIA=case(like(_raw, "%Push/Pull with%"), "Push/Pull Error", like(_raw, "%Failed fallback ping%"), "Failed fallback ping Error", like(_raw, "%connection reset by peer%"), "Connection reset by peer Error", like(_raw, "%keepalive timeout%"), "Keepalive Timeout Error", like(_raw, "%i/o timeout%"), "I/O Timeout Error", like(_raw, "%lead thread didn't get connection%"), "Lead thread didn't get connection Error", like(_raw, "%failed to get conn: EOF%"), "Failed to get conn: EOF Error", like(_raw, "%rpc error making call: EOF%"), "RPC error making call: EOF Error", like(_raw, "%Permission denied%"), "Permission denied Error", like(_raw, "%Timeout exceeded while awaiting headers%"), "Timeout exceeded while awaiting headers Error", true(), "Other Error")| stats count by SEARCH_CRITERIA</set>
                  </condition>
                  <condition match="$host_tok$==&quot;consul_server&quot;">
                     <set token="Panel1">host=*consul* OR servername=*consul* earliest=-5m sourcetype=consul_log index=hcm_consul "[ERROR]" NOT ("rpc error making call: rpc error making call: Permission denied" OR "rpc error making call: Permission denied" OR "Newer Consul version available") | eval SEARCH_CRITERIA=case(like(_raw, "%Push/Pull with%"), "Push/Pull Error", like(_raw, "%Failed fallback ping%"), "Failed fallback ping Error", like(_raw, "%connection reset by peer%"), "Connection reset by peer Error", like(_raw, "%keepalive timeout%"), "Keepalive Timeout Error", like(_raw, "%i/o timeout%"), "I/O Timeout Error", like(_raw, "%lead thread didn't get connection%"), "Lead thread didn't get connection Error", like(_raw, "%failed to get conn: EOF%"), "Failed to get conn: EOF Error", like(_raw, "%rpc error making call: EOF%"), "RPC error making call: EOF Error", like(_raw, "%Permission denied%"), "Permission denied Error", like(_raw, "%Timeout exceeded while awaiting headers%"), "Timeout exceeded while awaiting headers Error", true(), "Other Error")| stats count by SEARCH_CRITERIA</set>
                  </condition>
               </init>
               <query>$Panel1$</query>
               <earliest>$earliest$</earliest>
               <latest>$latest$</latest>
               <refresh>1m</refresh>
               <refreshType>delay</refreshType>
            </search>
            <option name="count">10</option>
            <option name="drilldown">cell</option>
         </single>
      </panel>
   </row>
   <row>
      <panel>
         <chart>
            <title>Error's Trendline for Nodes in last 60 minutes</title>
            <search>
               <query>$Panel2$</query>
               <earliest>-60m@m</earliest>
               <latest>now</latest>
               <refresh>1m</refresh>
            </search>
            <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
            <option name="charting.chart">line</option>
         </chart>
      </panel>
   </row>
</dashboard>

================

I am unable to get data its keep saying waiting for input.

Can you suggest how I can achieve two different queries based on token passed?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-13-2020 10:24 AM

@lping when you are trying to pass value from one dashboard to other you have to use form based URL tokens so instead of using host_tok use form.host_tok.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎07-09-2020 12:15 PM

@lping  Based on your example seems like host_tok token value from source dashboard can only have two values i.e. consul_client or consul_server. In the destination dashboard if you do not want users to change this value have a hidden input consume the token and set required SPL accordingly. I have used a dropdown in the following example.

PS: search event handlers can be <done>, <progress>, <fail>, <error> or <cancelled>. The <init> section is only for Dashboard load. Having said these you actually need an input and code <change> event handler.

I dont know from where you are getting $earliest$ and $latest$ for one of your panel while the other panel Search uses static time. If these tokens are also coming from the source dashboard's drilldown, you would need to create a time input as well and set the default value accordingly.

Please try out and confirm the following example based on your question:

<form>
  <label>Conditional Token</label>
  <description>Gives stats on ERRORS</description>
  <fieldset submitButton="false">
    <input depends="$alwaysHide$" type="dropdown" token="host_tok" searchWhenChanged="true">
      <label></label>
      <change>
        <condition value="consul_client">
          <set token="Panel1">host!=*consul* OR servername!=*consul* earliest=-5m sourcetype=consul_log index=hcm_consul "[ERROR]" NOT ("rpc error making call: rpc error making call: Permission denied" OR "rpc error making call: Permission denied" OR "Newer Consul version available") | eval SEARCH_CRITERIA=case(like(_raw, "%Push/Pull with%"), "Push/Pull Error", like(_raw, "%Failed fallback ping%"), "Failed fallback ping Error", like(_raw, "%connection reset by peer%"), "Connection reset by peer Error", like(_raw, "%keepalive timeout%"), "Keepalive Timeout Error", like(_raw, "%i/o timeout%"), "I/O Timeout Error", like(_raw, "%lead thread didn't get connection%"), "Lead thread didn't get connection Error", like(_raw, "%failed to get conn: EOF%"), "Failed to get conn: EOF Error", like(_raw, "%rpc error making call: EOF%"), "RPC error making call: EOF Error", like(_raw, "%Permission denied%"), "Permission denied Error", like(_raw, "%Timeout exceeded while awaiting headers%"), "Timeout exceeded while awaiting headers Error", true(), "Other Error")| stats count by SEARCH_CRITERIA</set>
          <set token="Panel2">| gentimes start=-10 
| eval _time=starttime 
| fields _time
| eval client=random()</set>
        </condition>
        <condition value="consul_server">
          <set token="Panel1">host=*consul* OR servername=*consul* earliest=-5m sourcetype=consul_log index=hcm_consul "[ERROR]" NOT ("rpc error making call: rpc error making call: Permission denied" OR "rpc error making call: Permission denied" OR "Newer Consul version available") | eval SEARCH_CRITERIA=case(like(_raw, "%Push/Pull with%"), "Push/Pull Error", like(_raw, "%Failed fallback ping%"), "Failed fallback ping Error", like(_raw, "%connection reset by peer%"), "Connection reset by peer Error", like(_raw, "%keepalive timeout%"), "Keepalive Timeout Error", like(_raw, "%i/o timeout%"), "I/O Timeout Error", like(_raw, "%lead thread didn't get connection%"), "Lead thread didn't get connection Error", like(_raw, "%failed to get conn: EOF%"), "Failed to get conn: EOF Error", like(_raw, "%rpc error making call: EOF%"), "RPC error making call: EOF Error", like(_raw, "%Permission denied%"), "Permission denied Error", like(_raw, "%Timeout exceeded while awaiting headers%"), "Timeout exceeded while awaiting headers Error", true(), "Other Error")| stats count by SEARCH_CRITERIA</set>
          <set token="Panel2">| gentimes start=-10 
| eval _time=starttime 
| fields _time
| eval server=random()</set>
        </condition>
      </change>
      <choice value="consul_client">Client</choice>
      <choice value="consul_server">Server</choice>
      <default>consul_client</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Number of Errors in last 5 minutes</title>
        <search>
          <query>$Panel1$</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Error's Trendline for Nodes in last 60 minutes</title>
        <search>
          <query>$Panel2$</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <refresh>1m</refresh>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
  </row>
</form>

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

lping
Explorer
‎07-13-2020 09:55 AM

Hi @niketn ,

Thanks for your reply.

I tried the solution you have proposed and is close enough but only issue is when I click from Dashboard 1 my host_tok is been passed as 
https://xyz.com/en-US/app/search/consul_level2_errors_test?host_tok="consul_server"&form.host_tok=
along with additional form.host_tok which cant be defaulted to any value.

Basically my second dashboard need to consume host_tok and based on that it need to run the query set under condition tag.

Hope you can help me in fixing this issue.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-13-2020 10:24 AM

@lping when you are trying to pass value from one dashboard to other you have to use form based URL tokens so instead of using host_tok use form.host_tok.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

lping
Explorer
‎07-14-2020 01:10 AM

Thanks for your help @niketn  It works perfectly.

Reply
Solved! Jump to solution

niketn
Legend
‎07-14-2020 11:44 AM

@lping you should have accepted the previous elaborate answer, as that covered the solution for the issue posted. However, do upvote the comments / answers that assisted resolving your issue!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...