Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timeseries: Rename Legend DYNAMICALLY based on Lookup and Token

flopit
Path Finder
‎01-17-2019 01:58 AM

Hi,

I have the following challenge: the user should be able to dynamically select parameters (a001, a002, a003, …, aXYZ) from a combox (works good, writing to token $parameters_a$), and then the average values of the selected parameters should be displayed in a timeseries (also works good).

Combox is defined as:
token: "parameters_a"
token value prefix: "avg("
token value suffix: ")"

Timeseries is defined as:
… (lots of code) …| timechart span=$span$ $parameters_a$

Now, instead of displaying the names avg(a001), avg(a008), avg(a010), ... (dynamically selected!) in the timechart's legend, I want to display the human-readable names of the selected parameters (these can be retireved by a lookup table: parameter -> parameterText).

I have a problem how to adjust the timeseries statement to DYNAMICALLY display the parameterText in the legend instead of the avg(aXYZ). If they were static, I could simply rename them using "AS", but in the parameter list, there are up to 50 selectable parameters.
How can this be achieved in a simple and dynamic way by adding sth to the timeseries chart statement?
It sounds like an easy problem ("display lookup texts instead of the technical names in the time series legend"), but I did not come up with an elegant solution…

Thanks for helping!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

flopit
Path Finder
‎01-22-2019 03:53 AM

Hi,

in case sb needs sth similar: I found a solution by combining the suggestions above and first creating a table, and adding extra code for the lookup and special renaming logic (bc the names themselves can contain open and closing brackets. Combox multi-selection only uses delimeter=, . 

index=iot_prod_mtg 
| search mac_nwpn="$mac_nwpn$"
| lookup smartguard mac_nwpn
| eval a008 = case(Hochdrucksensor=="((((A008 * 10) - 200) * 450) / 800) / 10", ((((a008 * 10) - 200) * 450) / 800) / 10, Hochdrucksensor=="((((A008 * 10) - 200) * 345) / 800) / 10", ((((a008 * 10) - 200) * 345) / 800) / 10, 1==1, a008)
| eval a101 = case(Niederdrucksensor=="((((A101 * 10) - 200) * 345) / 800) / 10", ((((a101 * 10) - 200) * 345) / 800) / 10, Niederdrucksensor=="((((A101 * 10) - 200) * 173) / 800) / 10", ((((a101 * 10) - 200) * 173) / 800) / 10, 1==1, a101) | table _time, $parameters_a$ | untable _time, param, myvalue | join param [ inputlookup parameters where version="$version$" Group="$group$" | table param, paramText ] | xyseries _time,paramText,myvalue |  timechart span=$span$ avg(*) | rename "avg(*)" as * | rename "avg(*))" as *)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

flopit
Path Finder
‎01-22-2019 03:53 AM

Hi,

in case sb needs sth similar: I found a solution by combining the suggestions above and first creating a table, and adding extra code for the lookup and special renaming logic (bc the names themselves can contain open and closing brackets. Combox multi-selection only uses delimeter=, . 

index=iot_prod_mtg 
| search mac_nwpn="$mac_nwpn$"
| lookup smartguard mac_nwpn
| eval a008 = case(Hochdrucksensor=="((((A008 * 10) - 200) * 450) / 800) / 10", ((((a008 * 10) - 200) * 450) / 800) / 10, Hochdrucksensor=="((((A008 * 10) - 200) * 345) / 800) / 10", ((((a008 * 10) - 200) * 345) / 800) / 10, 1==1, a008)
| eval a101 = case(Niederdrucksensor=="((((A101 * 10) - 200) * 345) / 800) / 10", ((((a101 * 10) - 200) * 345) / 800) / 10, Niederdrucksensor=="((((A101 * 10) - 200) * 173) / 800) / 10", ((((a101 * 10) - 200) * 173) / 800) / 10, 1==1, a101) | table _time, $parameters_a$ | untable _time, param, myvalue | join param [ inputlookup parameters where version="$version$" Group="$group$" | table param, paramText ] | xyseries _time,paramText,myvalue |  timechart span=$span$ avg(*) | rename "avg(*)" as * | rename "avg(*))" as *)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-22-2019 05:48 AM

@flopit, If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

flopit
Path Finder
‎01-18-2019 12:45 AM

Hi,

thanks for helping, I will paste the code below bc. there are still two challenges:
1. Instead of the dynamic paramText, the token seems to contain the static text "$p_txt$". Think there is sth wrong with assigning the text value of the label, p_txt (this concatenates the param code with the actual param text) , to it in the change statement.
3. The input combobox must be multiselect, bc. the user must be able to select multiple parameters and display them with their corresponding labels in the time series.

Code for Input Combobox:

 <input type="multiselect" token="parameters_a">
      <label>Parameters Analog</label>
      <fieldForLabel>p_txt</fieldForLabel>
      <fieldForValue>param</fieldForValue>
      <search>
        <query>| inputlookup parameters
| search version="$version$"
| search [
  | inputlookup smartguard  | search mac_nwpn = "$mac_nwpn$"
  | lookup models WP_Typ
  | table Group ]
| search (param = "a*" OR param = "i*")
| sort param
| eval p_txt = param + " " + paramText
| table p_txt, param</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <set token="parameterText">$p_txt$</set>
      </change>
    </input>

Code for the time series:

 <row>
        <panel>
          <title>Parameter Analog</title>
          <chart>
            <search>
              <query>index=iot_prod_mtg 
    | search mac_nwpn="$mac_nwpn$"
    | lookup smartguard mac_nwpn
    | eval a008 = case(Hochdrucksensor=="((((A008 * 10) - 200) * 450) / 800) / 10", ((((a008 * 10) - 200) * 450) / 800) / 10, Hochdrucksensor=="((((A008 * 10) - 200) * 345) / 800) / 10", ((((a008 * 10) - 200) * 345) / 800) / 10, 1==1, a008)
    | eval a101 = case(Niederdrucksensor=="((((A101 * 10) - 200) * 345) / 800) / 10", ((((a101 * 10) - 200) * 345) / 800) / 10, Niederdrucksensor=="((((A101 * 10) - 200) * 173) / 800) / 10", ((((a101 * 10) - 200) * 173) / 800) / 10, 1==1, a101)
| timechart span=$span$ avg("$parameters_a$") as "$parameterText$"
              <earliest>$time01.earliest$</earliest>
              <latest>$time01.latest$</latest>
              <sampleRatio>1</sampleRatio>
            </search>
            <option name="charting.chart">line</option>
            <option name="charting.drilldown">none</option>
            <option name="refresh.display">progressbar</option>
          </chart>
        </panel>
      </row>
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-17-2019 08:01 AM

@flopit following is a sample run anywhere code with Static Dropdown options (where you can plug in Dynamic Search).

It prepares the query so that average can be performed on parameter id field and renamed as parameter text.
The changes required in your existing dropdown code would be to remove Prefix and Suffix and add <change> event handler to capture Dropdown label which is the Parameter Text.

      <change>
        <set token="parameterText">$label$</set>
      </change>

Please try out following run anywhere example and confirm. If your expected behavior is different please provide more details for the code of your existing dropdown as requested.

<form>
  <label>Dropdown change event handler</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="parameters_a" searchWhenChanged="true">
      <label></label>
      <choice value="test01">First Test</choice>
      <choice value="test02">Second Test</choice>
      <change>
        <set token="parameterText">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        yourCurrentSearch
        | timechart span=$span$ avg("$parameters_a$") as "$parameterText$"
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-17-2019 07:48 AM

@flopit can you share complete code for parameters_a dropdown for us to assist you better?

If not could you please explain the following:
1. Is your dropdown formed from by Static values or Dynamic?
2. Field for value seems to be parameter. Is it coming from lookup?
3. The same lookup file has parameterText?
4. What is the lookup file name?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

flopit
Path Finder
‎01-22-2019 01:54 AM

Hi,
1. it is dynamic values
2. the actual values are taken from the events, the end-user can filter the displayed ones by using the lookup (both codings see below)
3. yes
4. lookup file name is "parameters"

Already added the full codings for both lookup and time series, please see below "answer"!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-17-2019 07:16 AM

@flopit,

If you just want to replace avg(value1) as value, easiest way is 

 (lots of code) …| timechart span=$span$ $parameters_a$|rename "avg(*)" as *

If you need specific text for each parameter, then try

 (lots of code) …| timechart span=$span$ $parameters_a$
|untable _time,parameter,avg
|lookup  your_look_up_file parameter output parameterText
|xyseries _time,parameterText,avg
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

flopit
Path Finder
‎01-18-2019 01:57 AM

Hi, the problem is that the lookup is a bit more complex (see above), and if I come from the other direction (index -> smartguard -> models -> parameters), I need the last lookup to use parameter, Group and version - and Group and Version is "not available"... is there a way to first create a table and then a timechart? I pasted the full code for combox and time series, hope you can see it...

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...