Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

filter based on dropdown with condition

prakashmca05
Explorer
‎06-01-2020 04:12 AM

Hi,

Could someone help on the below requirement.

I have the index as sampleindex and which returns the one of the output called environment_name as
app1_dev,
app1_tst,
app1_prd,
app2_dev,
app2_tst,
app2_prd,
app2,dev,
app3_tst,
app3_prd.
along with few more outputs, i have to bring the timechart with environment_name and cost on given duration.

Here I am not interested on all environment, for example i need to get the result only on app1_dev, app2_dev and we don't want to show app3_dev when i am selecting the Environment name as "dev". Same applies for all environment.

And the above given environment combination is just an sample, i have around 10+ environment(dev, int, tst, prd, etc...) with combination of 10 application (app1, app2, app3, etc..,)

I have to use Dropdown as Input field and choice as , to group all the environment type as below.

    <label>Environment</label>
    <choice value="*dev">dev</choice>
    <choice value="*tst">tst</choice>
    <choice value="*prd">prd</choice>
    <default>*prd</default>
  </input>

When i select the value as "dev", the chart should show the output as app1_dev, app2_dev and app2_dev on chart . Could someone help on how to query this. I have tried using case statement, but which returns as sum based on environment namings what i selecting from dropdown..

eval namespace=case(match(environment_name,"app1-dev"),"dev", match(environment_name,"app2-dev"),"dev", match(environment_name,"app3-dev"),"dev")

Re phrased the question again.

Labels (2)
Labels
0 Karma
Reply

jpolvino
Builder
‎06-01-2020 10:43 AM

If your searches are lightweight, you could potentially run all 3 searches and hide/show panels depending on the dropdown value selected. This works well if you have static index and environment_names, which looks to be true in your case. It also renders very fast when you switch the drop down selection.

Here is one way to do it, which can be pasted in as dashboard source XML. It has dummy searches to illustrate different results.

<form>
  <label>3 env demo</label>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="tokEnv">
      <label>Environment</label>
      <choice value="dev">dev</choice>
      <choice value="tst">tst</choice>
      <choice value="prd">prd</choice>
      <default>dev</default>
      <initialValue>dev</initialValue>
      <change>
        <condition label="dev">
          <set token="dev">true</set>
          <unset token="tst"></unset>
          <unset token="prd"></unset>
        </condition>
        <condition label="tst">
          <unset token="dev"></unset>
          <set token="tst">true</set>
          <unset token="prd"></unset>
        </condition>
        <condition label="prd">
          <unset token="dev"></unset>
          <unset token="tst"></unset>
          <set token="prd">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$dev$">
      <table>
        <title>dev panel</title>
        <search>
          <query>| makeresults count=5 | eval x=1 | accum x | autoregress x p=1-4</query>
          <earliest>-10s@s</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$tst$">
      <table>
        <title>tst panel</title>
        <search>
          <query>| makeresults | eval timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S")</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$prd$">
      <table>
        <title>prd panel</title>
        <search>
          <query>| makeresults count=3 | eval x=5 | accum x | autoregress x p=1-2</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

prakashmca05
Explorer
‎06-02-2020 04:50 AM

Thanks for your Input.

In the example, i have provided just 3 environment name for example. Actually i have around 10+ of environments. Do we have any alternative way rather using the panel for each environment ?

However i will be trying this solution as well to see how this works.

0 Karma
Reply

prakashmca05
Explorer
‎06-02-2020 05:46 AM

I have updated the question again with clear requirement.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...