Splunk Search

Carrying tokens in another token that are prone to updates

Software-Simian
Path Finder

Hi All,

the topic might sound very mystic but is actually rather straight forward.

I have a timechart displaying the current values of a metric, actually two different metrics. But that is not the issue.

I also have a checkbox that when ticked will handover an entire append query to the chart i mentioned above but with the time values of the previous week.

<input type="checkbox" token="tok_input_1">
<label></label>
<choice value="yes">something rather boring</choice>
<change>
<condition value="yes">
<set token="my_query_token">

| appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$
| timechart span=5min partial=f sum(Average) as "reference"]

</set>
</condition>
<condition>
<set token="<my_query_token>"></set>
</condition>
</change>
</input>

 

However the timetokens for ealiest and latest will be handed over to the chart and will not be updated as time moves along, although the refernce times are re-calculated every 2mins based on the current timeframe.

 

Any suggestions?

Regards,

Mike

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried including the appendcols in your query but with a where clause which checks the value of the input token?

| appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$
| where "$tok_input_1$"=="yes"
| timechart span=5min partial=f sum(Average) as "reference"]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried including the appendcols in your query but with a where clause which checks the value of the input token?

| appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$
| where "$tok_input_1$"=="yes"
| timechart span=5min partial=f sum(Average) as "reference"]

Software-Simian
Path Finder

so there is no kind of escape character in tokens to carry tokens...too bad...But thanks mate, your way works like charme

0 Karma

Software-Simian
Path Finder

so you are proposing to include the query no matter what but have some kind of "depends" in it?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, because the way you were using the token, it will have evaluated the time tokens at the time the checkbox was clicked and not every time the time token was updated.

0 Karma

Software-Simian
Path Finder

Hi,

there is an issue with how tokens in checkboxes work...it works if checked but it does not if unchecked as the chart is waiting for the input...which is the token of the checkbox (that is not set if unchecked).

it works with helper tokens:

<input type="checkbox" token="tok_input_0">
<label></label>
<choice value="yes">Something rather boring)</choice>
<change>
<condition value="yes">
<set token="my_token">"YES"</set>
</condition>
<condition>
<set token="my_token">"NO"</set>
</condition>
</change>
</input>

 

| appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$
| where "$my_token$"=="YES"
| timechart span=5min partial=f sum(Average) as "reference"]

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There is another way but it is a bit more convolute and merely shared for completeness - it does however avoid the extra search until it is needed which might be important

This uses an additional text input (which could be hidden with depends=$alwayshide$) - the change handler for this text input sets up the appendcols part of the search. The input is updated by the timepicker change event and the checkbox change event so if either change the token is re-evaluated.

    <input type="time" token="timepicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition>
          <set token="form.earlylate">earliest=$timepicker.earliest$ latest=$timepicker.latest$</set>
        </condition>
      </change>
    </input>
    <input type="checkbox" token="tok_input_0">
      <label></label>
      <choice value="yes">Something rather boring)</choice>
      <default></default>
      <initialValue></initialValue>
      <change>
        <condition value="yes">
          <set token="form.earlylate">earliest=$timepicker.earliest$ latest=$timepicker.latest$</set>
        </condition>
        <condition>
          <set token="form.earlylate"></set>
        </condition>
      </change>
    </input>
    <input type="text" token="earlylate">
      <label>$appendcols$</label>
      <change>
        <eval token="appendcols">if(isnull($tok_input_0$) OR $tok_input_0$="","no append","| appendcols [ search index=&lt;my_index&gt; ".$earlylate$."
| timechart span=5min partial=f sum(Average) as \"reference\"]")</eval>
      </change>
    </input>

 

0 Karma

Software-Simian
Path Finder

well what you call  convolute i call very creative 😉

 

but does the timepicker really have such a change event? i have no refresh on the timepicker and i was intending to leave the timepicker to the same setting.

i however think i can reuse my kiosk mode for that, but i think that will be rather overpowered...your solution works fine!

 

but for full disclosure here the kiosk mode i created for my replay dashboards:

 

<search rejects="$replay_stopped$">
<query>
| makeresults
| eval tokEarliest = CASE(now() &gt; $tok_array_timer$ + 3, $tokEarliest$ + 900,
1=1, $tokEarliest$)
| eval tokLatest = CASE(now() &gt; $tok_array_timer$ + 3, $tokLatest$ + 900,
1=1, $tokLatest$)
| eval zeit = CASE(tokEarliest = $tokEarliest$, $tok_array_timer$,
1=1, now())
| eval human_start = strftime(tokEarliest, "%H:%M %d.%m.%Y")
| eval human_end = strftime(tokLatest, "%H:%M %d.%m.%Y")
</query>
<refresh>5sec</refresh>
<done>
<set token="tokEarliest">$result.tokEarliest$</set>
<set token="tokLatest">$result.tokLatest$</set>
<set token="tok_human_start">$result.human_start$</set>
<set token="tok_human_end">$result.human_end$</set>
</done>
</search>

i could use the same to re-initialize the append token ... but that would be a far more complicated solution 😄

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...