Solved: Splunk Dashboard - Change On Condition

beriwalnishant

Hello Experts,

I am trying to work on setting up panels with two different queries output based on a filter. I am using the change on condition option

<input type="dropdown" token="spliterror_1" searchWhenChanged="true">
<label>Splits</label>
<choice value="*">All</choice>
<choice value="false">Exclude</choice>
<choice value="true">Splits Only</choice>
<prefix>isSplit="</prefix>
<suffix>"</suffix>
<default>$spliterror_1$</default>
<change>
<condition label="All">
<set token="ShowAll">*</set>
<unset token="ShowTrue"></unset>
<unset token="ShowFalse"></unset>
</condition>
<condition label="Exclude">
<unset token="ShowAll"></unset>
<set token="ShowFalse">false</set>
<unset token="ShowTrue"></unset>
</condition>
<condition label="Splits Only">
<unset token="ShowAll"></unset>
<unset token="ShowFalse"></unset>
<set token="ShowTrue">true</set>
</condition>
</change>
</input>

The setting/unsetting token displays the panel accordingly but in backend all 3 queries run simultaneously, is there a way that only one condition and related query run only on selection basis

Nishant

ITWhisperer

Try something like this - note the use of empty tokens rather than "true" and "false" (I have added done handlers to show when the searches complete - which they don't if they are still waiting for input from the unset tokens).

<form version="1.1" theme="light">
  <label>Change on Condition</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="spliterror_1" searchWhenChanged="true">
      <label>Splits</label>
      <choice value="*">All</choice>
      <choice value="false">Exclude</choice>
      <choice value="true">Splits Only</choice>
      <prefix>isSplit="</prefix>
      <suffix>"</suffix>
      <default>*</default>
      <change>
        <condition label="All">
          <set token="ShowTrue"></set>
          <set token="ShowFalse"></set>
        </condition>
        <condition label="Exclude">
          <set token="ShowFalse"></set>
          <unset token="ShowTrue"></unset>
        </condition>
        <condition label="Splits Only">
          <unset token="ShowFalse"></unset>
          <set token="ShowTrue"></set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <p>Exclude completed $ExcludeComplete$</p>
        <p>Split only completed $SplitOnlyComplete$</p>
      </html>
    </panel>
  </row>
  <row>
    <panel depends="$ShowFalse$">
      <table>
        <title>Exclude</title>
        <search>
          <done>
            <eval token="ExcludeComplete">strftime(time(),"%F %T")</eval>
          </done>
          <query>index=_internal
$ShowFalse$
| stats count by component</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel depends="$ShowTrue$">
      <table>
        <title>Split only</title>
        <search>
          <done>
            <eval token="SplitOnlyComplete">strftime(time(),"%F %T")</eval>
          </done>
          <query>index=_internal
$ShowTrue$
| stats count by component</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

beriwalnishant

I tried one, it did work but I can see in backend it still executed the query with 7MB query load

ITWhisperer

Please share what you have tried.

beriwalnishant

I added a fake field with a fake value in the query, was added by selecting a drop down option as additional step

ITWhisperer

Try something like this - note the use of empty tokens rather than "true" and "false" (I have added done handlers to show when the searches complete - which they don't if they are still waiting for input from the unset tokens).

<form version="1.1" theme="light">
  <label>Change on Condition</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="spliterror_1" searchWhenChanged="true">
      <label>Splits</label>
      <choice value="*">All</choice>
      <choice value="false">Exclude</choice>
      <choice value="true">Splits Only</choice>
      <prefix>isSplit="</prefix>
      <suffix>"</suffix>
      <default>*</default>
      <change>
        <condition label="All">
          <set token="ShowTrue"></set>
          <set token="ShowFalse"></set>
        </condition>
        <condition label="Exclude">
          <set token="ShowFalse"></set>
          <unset token="ShowTrue"></unset>
        </condition>
        <condition label="Splits Only">
          <unset token="ShowFalse"></unset>
          <set token="ShowTrue"></set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <p>Exclude completed $ExcludeComplete$</p>
        <p>Split only completed $SplitOnlyComplete$</p>
      </html>
    </panel>
  </row>
  <row>
    <panel depends="$ShowFalse$">
      <table>
        <title>Exclude</title>
        <search>
          <done>
            <eval token="ExcludeComplete">strftime(time(),"%F %T")</eval>
          </done>
          <query>index=_internal
$ShowFalse$
| stats count by component</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel depends="$ShowTrue$">
      <table>
        <title>Split only</title>
        <search>
          <done>
            <eval token="SplitOnlyComplete">strftime(time(),"%F %T")</eval>
          </done>
          <query>index=_internal
$ShowTrue$
| stats count by component</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

beriwalnishant

Ultimate, this worked super fine, but may I ask you to explain to me the logic as to how it is working? why did we strip time in both of the new tokens we created?

ITWhisperer

The logic is that searches only execute when all tokens in that particular search have been defined. Tokens effectively have three states (it is really only two, but for the purposes of this explanation we'll go with three). The token is either set to a value (non-empty), or is empty (these first two are really one state), or the token is unset (or set to null(), which equates to the same thing).

The depends attribute on the panel (or row), identifies which tokens need to be set (non-null). For completeness, the rejects attribute identifies which tokens need to be unset (or null).

By setting the relevant token to nothing, the token can satisfy the depends attribute, and when used in the search does not add any additional SPL.

By unsetting the relevant token (or setting it to null()), the depends attribute is not satisfied (so the panel/row is hidden), and the search stops executing (because it is waiting for the token to be set).

The strftime() is used in the done handler to set tokens so that you can visually see when the search is complete, i.e. to give you the confidence that the search is or is not running. You don't need them if you are happy with your searches only executing when they are supposed to.

beriwalnishant

Can you share an example

ITWhisperer

Yes, set up tokens in the searches which make the search invalid when they are not needed e.g. they contain illegal SPL syntax

Splunk Dashboard - Change On Condition

other

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?