Splunk Search

Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

eman9123
New Member

I have a Splunk dashboard which allows users to select two different fields.

My goal is I want a way for Splunk dashboard to evaluate the two different fields and take appropriate action based on the two fields.

Example dashboard:

 <form>
    <label>Test Graph</label>

    <fieldset submitButton="false" autoRun="true">
        <input type="dropdown" token="field1" searchWhenChanged="true">
        <label>Select Time Range</label>
        <choice value="1 day ago">1 day ago</choice>
        <choice value="2 days ago">2 days ago</choice>
        <default>1 day ago</default>
        </input>
    </fieldset>

    <fieldset submitButton="false" autoRun="true">
        <input type="dropdown" token="field1" searchWhenChanged="true">
        <label>Select Time Range</label>
        <choice value="1 day ago">1 day ago</choice>
        <choice value="2 days ago">2 days ago</choice>
        <default>1 day ago</default>
        </input>
    </fieldset>

    <row>
        <panel>
            <chart>
                <title>Test Title - $field1$</title>
            </chart>
        </panel>
    </row>
</form>

As you can see from above, there are two different drop down option boxes. Which both have values '1 day ago' and '2 days ago'.

Below this, I also have a title which dynamically gets value from 'field1'.

What I want to do is when a user selects a specific value from field1 and another value from field2, it changes the title field to a value.

For example:

     if ($field1$ == '1 day ago' && $field2$ == '2 day ago') {
            //execute action to change title field here.
      } 
Tags (3)
0 Karma

Sukisen1981
Champion

I am assuming that you have 2 field1 tokens as a typo. Try this

<form>
     <label>Test Graph</label>

     <fieldset submitButton="false" autoRun="true">
         <input type="dropdown" token="field1" searchWhenChanged="true">
         <label>Select Time Range</label>
         <choice value="1 day ago">1 day ago</choice>
         <choice value="2 days ago">2 days ago</choice>
         <default>1 day ago</default>
         </input>
     </fieldset>

     <fieldset submitButton="false" autoRun="true">
         <input type="dropdown" token="field2" searchWhenChanged="true">
         <label>Select Time Range</label>
         <choice value="1 day ago">1 day ago</choice>
         <choice value="2 days ago">2 days ago</choice>
         <default>1 day ago</default>
         <change>

           <eval token="tok_title">$field1$+"::"+$field2$</eval>
         </change>
         </input>
     </fieldset>

     <row>
         <panel>
             <chart>
                 <title>Test Title - $tok_title$</title>
             </chart>
         </panel>
     </row>
 </form>

Basically, I have used the change event handler in field 2 to sort of concatenate the two field values from the tokens and display them in the title field, along the lines of your need?

0 Karma

eman9123
New Member

Hi. Thanks for your answer! So what you provided is what partially what I am looking for. I still want a way to evaluate both the values provided from the drop downs and doing an action based on this.

For example:

1) If the user selected '1 day ago' in field1 and selected '2 days ago' in field 2, I want the title to change to 'Option 123'

2) If the user selected '2 days ago' in field1 and selected '1 day ago' in field 2, I want the title to change to 'Option 321'

There can be many combinations of this input, I just want a way of evaluating both values and changing the title based on this logic.

Is this possible? Thanks!

0 Karma

Sukisen1981
Champion

Hi, yes try this code. just wait a second or 2 after changing the drop down values:

  <label>Test Graph</label>
  <search>
    <query>
     |makeresults|eval dt1="$field1$"|eval dt2="$field2$"|table dt1,dt2
    </query>

    <done>
      <eval token="tok_title">if($field1$="1 day ago" AND $field2$="2 days ago","Option 123","yyyy")</eval>
    </done>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="field1" searchWhenChanged="true">
      <label>Select Time Range field1</label>
      <choice value="1 day ago">1 day ago</choice>
      <choice value="2 days ago">2 days ago</choice>
      <default>1 day ago</default>
    </input>
    <input type="dropdown" token="field2" searchWhenChanged="true">
      <label>Select Time Range field2</label>
      <choice value="1 day ago">1 day ago</choice>
      <choice value="2 days ago">2 days ago</choice>
      <default>1 day ago</default>

    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Test Title - $tok_title$</title>

      </chart>
    </panel>
  </row>
</form>

You can use eval with the token values for field1 and field2 in the dummy makeresults eval. I use this just to populate the title token dynamically. For testing purposes I have set something like this - If the user selected '1 day ago' in field1 and selected '2 days ago' in field 2, I want the title to change to 'Option 123' else title is yyy. You just need to retro-fit the eval in the event handler for your specific needs

0 Karma

eman9123
New Member

Also, how will this work? Seems the evaluation not happening for nested if statements. if($field1$="1 day ago" AND $field2$="1 day ago","Test1","Test2", if($field1$="1 day ago" AND $field2$="3 days ago","Test3","Test4"))

0 Karma

Sukisen1981
Champion

Hi,
Nested if statements work in splunk like in most programming language. Your nested if statement needs a tweak. you have a first condition, in which : if true = test1 and if false =test2. Thats how an if statement works if(condtion, action when condition is met, action when condition is false)
Not sure what you are trying to do in the second if statement. it won't even get executed, since you have already provided actions for both meeting as well as not meeting your if condition.
The makeresults dummy query is the best approach you have, in fact it is very hard without understanding your requirements what exactly you are trying to achieve...
It could be worthwhile to think of limiting and forcing the user ti check an option based on the token values, for example
if in field1 user chooses 1 day, then reset field2 to blank AND populate field2 with a range of dropdown values (say 2 days, 3 days, 4 days) based on field 1. So each time the user makes a change in the field1 dropdown values, you reset the field2 token to blank or some generic default value like 'please select field2 values' AND force the user to choose a value for field2 ,based on the field1 values.
Your dummy query using makeresults will still work. In the worst case if there is no other way and you HAVE to execute 30 if conditions, i suggest building a dummy data and testing it in real time search before using it in the dashboard query

0 Karma

eman9123
New Member

Okay, I have found out what I want to achieve by using case statement. I have a further question, does having a line break cause difference in xml/splunk execution. For example,

<eval token="testToken">case($var1$="Apple" AND $var2$="(producttype=fruit)", "Fruit: Apple", (($var1$="Banana") AND ($var2$="(producttype=fruit)")), "Fruit: Banana")</eval>

The above works fine. I can access the testToken in the title field and it dynamically gets the value. However, when I want to make a line between conditions, for example:

<eval token="testToken">case($var1$="Apple" AND $var2$="(producttype=fruit)", "Fruit: Apple", 
//LINE BREAK
(($var1$="Banana") AND ($var2$="(producttype=fruit)")), "Fruit: Banana")</eval>

I am unable to access testToken in title, it just shows in the title as $testToken$.

Do you know about this?

0 Karma

Sukisen1981
Champion

what is the difference between the above 2 queries? Can you be a bit more clear? Or give a mock up of what you need? I am not able to understand what you need

0 Karma

eman9123
New Member

Okay, the two queries are exactly the same behavior wise.

The intention of both queries is to get evaluate the dropdown options and change the title based on the options. For example, if a user picks "Apple" in one drop down and "Fruit" in the second drop down, the title will change to "Fruit: Apple".

Now the first query works completely fine and executes the action I need.
The second query does not work. Now the difference between query 1 and query 2 is small, the only difference is that there is a linebreak between the two conditionals (I have added a comment to where the line break is). With query 2, when a line break is inserted, the title field is not updated and the title is shown only as "$estToken$".

Now my ask is that does inserting a line break impact this? My thought is that it should not matter but in my case inserting a line breaks the functionality. I want a line break to just make the XML clearer to read.

0 Karma

Sukisen1981
Champion

Hi,
yes it does corrupt things. you can not insert a line break where another case condition is expected.
However you can do something like this -

<done>
      <eval token="tok_title">case($field1$="1 day ago" AND $field2$="2 days ago","Option 123")</eval>
      `comment("-----LINE BREAK FOR TOKEN VALUES----")`
       <!-- LINE BREAK FOR TOKEN VALUES -->
      <eval token="tok_title">case($field1$="2 days ago" AND $field2$="2 days ago","Option 456")</eval>
     </done>

Link to the new comment macro - https://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Addcommentstosearches

0 Karma

Sukisen1981
Champion

this will not have any significant impact on performance, since either the way the case statement executes 30 times in one loop or separately, does not matter here

0 Karma

eman9123
New Member

Got it. Thank you very much so for this situation, I have many different combinations that will modify the title (Over 30). What do you recommend will be the cleanest approach to do this?

0 Karma

eman9123
New Member

For example:

Condition 1: if($field1$="1 day ago" AND $field2$="2 days ago","Option 123","yyyy")
Condition 2: if($field1$="2 day ago" AND $field2$="2 days ago","Option 124","yyyy")
Condition 3: if($field1$="3 day ago" AND $field2$="2 days ago","Option 125","yyyy")
Condition 4: if($field1$="4 day ago" AND $field2$="2 days ago","Option 126","yyyy")
Condition 5: if($field1$="5 day ago" AND $field2$="2 days ago","Option 127","yyyy")

I have many of these statements, what do you recommend as the cleanest way to construct this?

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...