Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

use token in dashboard with if statement

sarit_s
Communicator
‎08-30-2021 03:39 AM

Hello
I have a dashboard with this search 

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset" if $host$="yes" [| inputlookup windows_hosts_srv_2016.csv  | fields host | format] | timechart max(Value) by host span=5m

I want to add checkbox so the defualt search will be

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset" if $host$="yes" host=* | timechart max(Value) by host span=5m


and if the client clicks on the checkbox then it will search by the first query 

how it can be done ?

thanks

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 04:48 AM

If the checkbox is selected then have the token value be "host=*".  If it is not selected then the token should contain the subsearch.  Then the query becomes

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset" $host$ | timechart max(Value) by host span=5m
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-30-2021 04:52 AM

Where should I add the conditions?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 05:45 AM

In the <input> element where the token is defined.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-30-2021 11:18 AM

should it be something like this: 

<form>
  <label>Clock sync Clone</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="checkbox" token="field2">
      <label>field2</label>
      <choice value="yes">Check for listed hosts</choice>
      <delimiter> </delimiter>
      <change>
        <condition value="yes">
          <query>sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset" $host$ | timechart max(Value) by host span=5m</query>
        </condition>
        <condition>
          <eval token="checked_result_value">"B"</eval>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Time sync Windows servers 2016</title>
      <chart>
        <title>Time sync Windows servers 2016</title>
        <search>
          <query>sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset"  [| inputlookup windows_hosts_srv_2016.csv  | fields host | format] | timechart max(Value) by host span=5m</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">262</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Time sync Windows servers 2012</title>
      <chart>
        <search>
          <query>sourcetype=timekeeper_status [| inputlookup windows_hosts_srv_2012.csv | fields host | format] | timechart max(offsets."0") by host</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

i think im a little bit confused

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 12:04 PM

I was thinking of something like this:

    <input type="checkbox" token="field2">
      <label>field2</label>
      <choice value="yes">Check for listed hosts</choice>
      <delimiter> </delimiter>
      <change>
        <condition value="yes">
          <set token="host">[| inputlookup windows_hosts_srv_2012.csv | fields host | format]</set>
        </condition>
        <condition>
          <set token="host">*</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
...
  </row>
  <row>
    <panel>
      <title>Time sync Windows servers 2012</title>
      <chart>
        <search>
          <query>sourcetype=timekeeper_status $host$ | timechart max(offsets."0") by host</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-30-2021 12:25 PM

i changed the query you wrote since i think there was a type
the query should be 

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset"  $host$ | timechart max(Value) by host span=5m

but now i have 2 issues:

1. i have 2 panels with different csv file but i want the same checkbox to change them so i think it is impossible to put the file name in the token, no ?

2. if the checkbox is unchecked then i get this query:

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset"  * | timechart max(Value) by host span=5m

and it should be host=* and not just *

also, the graph is now showing dots...

sarit_s_0-1630351849845.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 02:13 PM

1. Using 2 difference CSVs is possible, but you'll have to use 2 tokens.  Set them both in the same <change> element with two <set> elements.

2. My bad.  The token should be set to "host=*" if the checkbox is not selected.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-30-2021 08:17 PM

Where should I set the host=*? I don’t see we configured it anywhere

what about the dots issue? Before the changes it was lines

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2021 04:44 AM

Instead of

<set token="host">*</set>

use

<set token="host">host=*</set>

 

As for the dots problem, have you checked the format settings for the visualization?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-31-2021 04:54 AM

its working, thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2021 06:23 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...