Solved: I have two macro's depends on text input type host...

Kumar23 · ‎03-08-2017

My Scenario:-

Macro1=US_Base_Search
Macro2= AD_Base_Search
If host=AB* then need to get the data from macro US_Base_Search,( host=C* OR host != AB*) then need to get the data from different macro AD_Base_Search.

UAT

$Prefixhost$_Basesearch($HostName$) | fields *
$TimeSpan.earliest$
$TimeSpan.latest$

<query>`$Prefixhost$_Process($HostName$)` instance=$instance$ | fields *</query>
<earliest>$TimeSpan.earliest$</earliest>
<latest>$TimeSpan.latest$</latest>

<row> 

       <input type="radio" searchWhenChanged="true" token="Enter SID/HostName">

HostName

SID

$SID$
$HostName$

$HostName$
$SID$

Enter Hostname (click away):

UA

Clone_GSO

Clone_GSO

Clone_GSO

Clone_GSO

Clone_GSO

Enter SID (click away):

Select Time Window

-4h@m
now

Select Timechart Span:
Select a Span from dropdown to set chart resolution.

Search by Hostname:
Click on a row of "SID to Host Lookup" for Perfmon statistics

Select Timechart Span:
1 Minute
5 Minutes
10 Minutes
15 Minutes
30 Minutes
60 Minutes
5m
5m

Advanced Debug
Enable

SID to Host Lookup

source=User_activity_stats index=wks_summary sourcetype="user_activity_stats" SID=$SID$ | convert auto(Last_Reported) auto(First_Reported) | table orig_host SID First_Reported Last_Reported _time | dedup SID orig_host sortby -Last_Reported | sort -Last_Reported | convert ctime(First_Reported) ctime(Last_Reported)| rename orig_host as HostName
-30d@d
@d

true
true
none

$row.HostName$

US

AD

AD

AD

AD

AD

row
20

CPU Utilization

OverAll

| timechart span=$chartSpan$ avg("%_Processor_Time") as %_Processor_Time, avg("%_User_Time") as %_User_Time, avg("%_Privileged_Time") as %_Privileged_Time avg("%_Interrupt_Time") as %_Interrupt_Time

Context Switches/Sec

| timechart span=$chartSpan$ Avg(Context_Switches/sec) As "Context Switches/sec"

gvmorley · ‎03-10-2017

Hi,

I'm not sure if I can give you the answer that you're looking for, but I might be able to point you in the direction of some places to look.

I think when posting your question, you didn't quite get all the formatting as code so it's a bit broken. No worries, we'll try to figure it out.

Some things to note:

You can't use <fieldset></fieldset> tags within the <drilldown></drilldown> Event Handler.
Check this out in the docs: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown
The <condition></condition> element works slightly differently in <drilldown></drilldown>. You can't use it with a match command.
Have a look here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Condition_.28drilldown....

One strategy you could try would be to create an <input type="dropdown"></input> and populate it with a search that lists all of your HostNames

Then you could use <change></change> and <condition></condition> elements to create your Prefixhost token.

Alternatively, if you want to use the <table></table> and <drilldown></drilldown> approach, you could eval the correct Macro Name into the search.

Then when your users click on a row, you can take that Macro Name token and use it to create later searches.

Like this:

alt text

I know that this may not be exactly what you're looking for, but it might spark some ideas.

Finally, if you haven't come across it yet in your Splunk journey, check out the excellent 'Dashboard Examples App' on Splunkbase. Install it on a test system, and use it as a reference for what's possible. You can find it here: https://splunkbase.splunk.com/app/1603/

Best of luck.

Here's the code for that example, which you could paste into a new Dashboard just to see what I mean
(You can ignore the search, that was just to create some data to work with):

<dashboard>
  <label>Test - Table Drilldown</label>
  <row>
    <panel>
      <title>My Data</title>
      <table>
        <search>
          <query>
            <![CDATA[| makeresults 
            | fields - _time 
            | eval HostName=mvappend("CH1234", "/1234", "ATC1234", "L1234", "1CP", "W1234") 
            | mvexpand HostName 
            | eval Time=strftime(time(),"%H:%M:%S %d/%m/%Y"), OtherTime=strftime(time()+121,"%H:%M:%S %d/%m/%Y")
            | eval Environment=case(match(HostName,"^CH.*"),"US_Macro",match(HostName,"^/\d.*|^ATC.*|^L.*|^\dCP.*|^W.*"),"AD_Macro")
            | table HostName Time OtherTime Environment
            ]]>
          </query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="my.click.name">$click.name$</set>
          <set token="my.click.value">$click.value$</set>
          <set token="my.click.name2">$click.name2$</set>
          <set token="my.click.value2">$click.value2$</set>
          <set token="my.row.hostname">$row.HostName$</set>
          <set token="my.row.time">$row.Time$</set>
          <set token="my.row.othertime">$row.OtherTime$</set>
          <set token="my.row.environment">$row.Environment$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>click.name = $my.click.name$</div>
        <div>click.value = $my.click.value$</div>
        <div>click.name2 = $my.click.name2$</div>
        <div>click.value2 = $my.click.value2$</div>
        <div>row.HostName = $my.row.hostname$</div>
        <div>row.Time = $my.row.time$</div>
        <div>row.OtherTime = $my.row.othertime$</div>
        <h3>row.Environment = $my.row.environment$</h3>
        <h3>Run this search: $my.row.environment$_Process($my.row.hostname$)</h3>
      </html>
    </panel>
  </row>
</dashboard>

View solution in original post

gvmorley · ‎03-10-2017

Hi,