Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: dynamic option in an input panel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dynamic option in an input panel
HI all,
I would to build a dynamic value for a dynamic option in an 'dropdown' panel for a dashboard (splunk 6.5.2)
For example my query returns x results in a table : Number1, Number2, Number3 (to give an example with 3 values, but the result is always unknown). It allows to select between these 3 values to build a chart with a query like "index=blabla | timechart $myToken$ by myType". If Number1 is selected, the chart's query is "index=blabla | timechart SUM(Number1) by myType" because I need to draw the SUM.
So my dynamic options have a token prefix "SUM(", and a token prefix ")".
My need is to add a x+1 th (here a 4th) dynamic option "All", so that the resulted query for my chart is "index=blabla | timechart SUM(Number1), SUM(Number2), SUM(Number3) by myType".
How can I do that ?
Thank you,
Arnaud
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at this run-anywhere sample -
| makeresults | eval mydata="Number1 Number2 Number3"
| makemv mydata | mvexpand mydata | rename mydata as search
| format "" "sum(" 2 ")" "" ""
...resulting in
sum( Number1 ) sum( Number2 ) sum( Number3 )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to do this in your populatingsearch. You can completely control what is returned from this search so you can put the All value in yourself using SPL. Your XML will have a line like this:
<populatingSearch fieldForValue="MyValue" fieldForLabel="MyLabel">
<![CDATA[index=_* OR index=* | dedup host | table host | rename host AS MyField | eventstats values(MyField) AS MyValue | reverse | appendpipe [|noop|stats count AS MyField|eval MyField="ALL(*)"] | nomv MyValue | rex field=MyValue mode=sed "s/^/SUM(/ s/ /) SUM(/ s/$/)/" | filldown MyValue | reverse | eval MyValue=if(like(MyField, "ALL(*)"), MyValue, "SUM(" . MyField . ")")]]>
</populatingSearch>
Run the search by itself and see what it does. You will need to change host to your field but the gist is that we are controlling EVERYTHING in the replacement string creation and we have manually created the ALL(*) value which includes the SUM strings, too.
Your dashboard panel search will now be this:
index=blabla | timechart $new_token$ BY myType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your answers.
@Woodcock, I tried your proposition and it works, thank you.
Unfortunately, it takes a long time to get the result. It's not because of your proposition, but because of my query.
So I replaced your initial search by mine " ... | fieldsummary | search field=nb* | dedup field | sort field | table field rename field AS MyField | ...". And it takes a long time because of 'fieldsummary' searching.
Thank you,
Arnaud
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't forget to click Accept.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
