Splunk Search

Carrying tokens in another token that are prone to updates

Software-Simian
Path Finder

Hi All,

the topic might sound very mystic but is actually rather straight forward.

I have a timechart displaying the current values of a metric, actually two different metrics. But that is not the issue.

I also have a checkbox that when ticked will handover an entire append query to the chart i mentioned above but with the time values of the previous week.

<input type="checkbox" token="tok_input_1">
<label></label>
<choice value="yes">something rather boring</choice>
<change>
<condition value="yes">
<set token="my_query_token">

| appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$
| timechart span=5min partial=f sum(Average) as "reference"]

</set>
</condition>
<condition>
<set token="<my_query_token>"></set>
</condition>
</change>
</input>

 

However the timetokens for ealiest and latest will be handed over to the chart and will not be updated as time moves along, although the refernce times are re-calculated every 2mins based on the current timeframe.

 

Any suggestions?

Regards,

Mike

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried including the appendcols in your query but with a where clause which checks the value of the input token?

| appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$
| where "$tok_input_1$"=="yes"
| timechart span=5min partial=f sum(Average) as "reference"]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried including the appendcols in your query but with a where clause which checks the value of the input token?

| appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$
| where "$tok_input_1$"=="yes"
| timechart span=5min partial=f sum(Average) as "reference"]

Software-Simian
Path Finder

so there is no kind of escape character in tokens to carry tokens...too bad...But thanks mate, your way works like charme

0 Karma

Software-Simian
Path Finder

so you are proposing to include the query no matter what but have some kind of "depends" in it?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, because the way you were using the token, it will have evaluated the time tokens at the time the checkbox was clicked and not every time the time token was updated.

0 Karma

Software-Simian
Path Finder

Hi,

there is an issue with how tokens in checkboxes work...it works if checked but it does not if unchecked as the chart is waiting for the input...which is the token of the checkbox (that is not set if unchecked).

it works with helper tokens:

<input type="checkbox" token="tok_input_0">
<label></label>
<choice value="yes">Something rather boring)</choice>
<change>
<condition value="yes">
<set token="my_token">"YES"</set>
</condition>
<condition>
<set token="my_token">"NO"</set>
</condition>
</change>
</input>

 

| appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$
| where "$my_token$"=="YES"
| timechart span=5min partial=f sum(Average) as "reference"]

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There is another way but it is a bit more convolute and merely shared for completeness - it does however avoid the extra search until it is needed which might be important

This uses an additional text input (which could be hidden with depends=$alwayshide$) - the change handler for this text input sets up the appendcols part of the search. The input is updated by the timepicker change event and the checkbox change event so if either change the token is re-evaluated.

    <input type="time" token="timepicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition>
          <set token="form.earlylate">earliest=$timepicker.earliest$ latest=$timepicker.latest$</set>
        </condition>
      </change>
    </input>
    <input type="checkbox" token="tok_input_0">
      <label></label>
      <choice value="yes">Something rather boring)</choice>
      <default></default>
      <initialValue></initialValue>
      <change>
        <condition value="yes">
          <set token="form.earlylate">earliest=$timepicker.earliest$ latest=$timepicker.latest$</set>
        </condition>
        <condition>
          <set token="form.earlylate"></set>
        </condition>
      </change>
    </input>
    <input type="text" token="earlylate">
      <label>$appendcols$</label>
      <change>
        <eval token="appendcols">if(isnull($tok_input_0$) OR $tok_input_0$="","no append","| appendcols [ search index=&lt;my_index&gt; ".$earlylate$."
| timechart span=5min partial=f sum(Average) as \"reference\"]")</eval>
      </change>
    </input>

 

0 Karma

Software-Simian
Path Finder

well what you call  convolute i call very creative 😉

 

but does the timepicker really have such a change event? i have no refresh on the timepicker and i was intending to leave the timepicker to the same setting.

i however think i can reuse my kiosk mode for that, but i think that will be rather overpowered...your solution works fine!

 

but for full disclosure here the kiosk mode i created for my replay dashboards:

 

<search rejects="$replay_stopped$">
<query>
| makeresults
| eval tokEarliest = CASE(now() &gt; $tok_array_timer$ + 3, $tokEarliest$ + 900,
1=1, $tokEarliest$)
| eval tokLatest = CASE(now() &gt; $tok_array_timer$ + 3, $tokLatest$ + 900,
1=1, $tokLatest$)
| eval zeit = CASE(tokEarliest = $tokEarliest$, $tok_array_timer$,
1=1, now())
| eval human_start = strftime(tokEarliest, "%H:%M %d.%m.%Y")
| eval human_end = strftime(tokLatest, "%H:%M %d.%m.%Y")
</query>
<refresh>5sec</refresh>
<done>
<set token="tokEarliest">$result.tokEarliest$</set>
<set token="tokLatest">$result.tokLatest$</set>
<set token="tok_human_start">$result.human_start$</set>
<set token="tok_human_end">$result.human_end$</set>
</done>
</search>

i could use the same to re-initialize the append token ... but that would be a far more complicated solution 😄

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...