Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

use token in dashboard with if statement

sarit_s
Communicator
‎08-30-2021 03:39 AM

Hello
I have a dashboard with this search 

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset" if $host$="yes" [| inputlookup windows_hosts_srv_2016.csv  | fields host | format] | timechart max(Value) by host span=5m

I want to add checkbox so the defualt search will be

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset" if $host$="yes" host=* | timechart max(Value) by host span=5m


and if the client clicks on the checkbox then it will search by the first query 

how it can be done ?

thanks

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 04:48 AM

If the checkbox is selected then have the token value be "host=*".  If it is not selected then the token should contain the subsearch.  Then the query becomes

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset" $host$ | timechart max(Value) by host span=5m
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-30-2021 04:52 AM

Where should I add the conditions?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 05:45 AM

In the <input> element where the token is defined.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-30-2021 11:18 AM

should it be something like this: 

<form>
  <label>Clock sync Clone</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="checkbox" token="field2">
      <label>field2</label>
      <choice value="yes">Check for listed hosts</choice>
      <delimiter> </delimiter>
      <change>
        <condition value="yes">
          <query>sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset" $host$ | timechart max(Value) by host span=5m</query>
        </condition>
        <condition>
          <eval token="checked_result_value">"B"</eval>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Time sync Windows servers 2016</title>
      <chart>
        <title>Time sync Windows servers 2016</title>
        <search>
          <query>sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset"  [| inputlookup windows_hosts_srv_2016.csv  | fields host | format] | timechart max(Value) by host span=5m</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">262</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Time sync Windows servers 2012</title>
      <chart>
        <search>
          <query>sourcetype=timekeeper_status [| inputlookup windows_hosts_srv_2012.csv | fields host | format] | timechart max(offsets."0") by host</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

i think im a little bit confused

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 12:04 PM

I was thinking of something like this:

    <input type="checkbox" token="field2">
      <label>field2</label>
      <choice value="yes">Check for listed hosts</choice>
      <delimiter> </delimiter>
      <change>
        <condition value="yes">
          <set token="host">[| inputlookup windows_hosts_srv_2012.csv | fields host | format]</set>
        </condition>
        <condition>
          <set token="host">*</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
...
  </row>
  <row>
    <panel>
      <title>Time sync Windows servers 2012</title>
      <chart>
        <search>
          <query>sourcetype=timekeeper_status $host$ | timechart max(offsets."0") by host</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-30-2021 12:25 PM

i changed the query you wrote since i think there was a type
the query should be 

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset"  $host$ | timechart max(Value) by host span=5m

but now i have 2 issues:

1. i have 2 panels with different csv file but i want the same checkbox to change them so i think it is impossible to put the file name in the token, no ?

2. if the checkbox is unchecked then i get this query:

sourcetype="Perfmon:Windows Time Service" counter="Computed Time Offset"  * | timechart max(Value) by host span=5m

and it should be host=* and not just *

also, the graph is now showing dots...

sarit_s_0-1630351849845.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 02:13 PM

1. Using 2 difference CSVs is possible, but you'll have to use 2 tokens.  Set them both in the same <change> element with two <set> elements.

2. My bad.  The token should be set to "host=*" if the checkbox is not selected.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-30-2021 08:17 PM

Where should I set the host=*? I don’t see we configured it anywhere

what about the dots issue? Before the changes it was lines

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2021 04:44 AM

Instead of

<set token="host">*</set>

use

<set token="host">host=*</set>

 

As for the dots problem, have you checked the format settings for the visualization?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎08-31-2021 04:54 AM

its working, thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2021 06:23 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...