Splunk Search
Highlighted

Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

New Member

I have a Splunk dashboard which allows users to select two different fields.

My goal is I want a way for Splunk dashboard to evaluate the two different fields and take appropriate action based on the two fields.

Example dashboard:

 <form>
    <label>Test Graph</label>

    <fieldset submitButton="false" autoRun="true">
        <input type="dropdown" token="field1" searchWhenChanged="true">
        <label>Select Time Range</label>
        <choice value="1 day ago">1 day ago</choice>
        <choice value="2 days ago">2 days ago</choice>
        <default>1 day ago</default>
        </input>
    </fieldset>

    <fieldset submitButton="false" autoRun="true">
        <input type="dropdown" token="field1" searchWhenChanged="true">
        <label>Select Time Range</label>
        <choice value="1 day ago">1 day ago</choice>
        <choice value="2 days ago">2 days ago</choice>
        <default>1 day ago</default>
        </input>
    </fieldset>

    <row>
        <panel>
            <chart>
                <title>Test Title - $field1$</title>
            </chart>
        </panel>
    </row>
</form>

As you can see from above, there are two different drop down option boxes. Which both have values '1 day ago' and '2 days ago'.

Below this, I also have a title which dynamically gets value from 'field1'.

What I want to do is when a user selects a specific value from field1 and another value from field2, it changes the title field to a value.

For example:

     if ($field1$ == '1 day ago' && $field2$ == '2 day ago') {
            //execute action to change title field here.
      } 
Tags (3)
0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

Champion

I am assuming that you have 2 field1 tokens as a typo. Try this

<form>
     <label>Test Graph</label>

     <fieldset submitButton="false" autoRun="true">
         <input type="dropdown" token="field1" searchWhenChanged="true">
         <label>Select Time Range</label>
         <choice value="1 day ago">1 day ago</choice>
         <choice value="2 days ago">2 days ago</choice>
         <default>1 day ago</default>
         </input>
     </fieldset>

     <fieldset submitButton="false" autoRun="true">
         <input type="dropdown" token="field2" searchWhenChanged="true">
         <label>Select Time Range</label>
         <choice value="1 day ago">1 day ago</choice>
         <choice value="2 days ago">2 days ago</choice>
         <default>1 day ago</default>
         <change>

           <eval token="tok_title">$field1$+"::"+$field2$</eval>
         </change>
         </input>
     </fieldset>

     <row>
         <panel>
             <chart>
                 <title>Test Title - $tok_title$</title>
             </chart>
         </panel>
     </row>
 </form>

Basically, I have used the change event handler in field 2 to sort of concatenate the two field values from the tokens and display them in the title field, along the lines of your need?

0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

New Member

Hi. Thanks for your answer! So what you provided is what partially what I am looking for. I still want a way to evaluate both the values provided from the drop downs and doing an action based on this.

For example:

1) If the user selected '1 day ago' in field1 and selected '2 days ago' in field 2, I want the title to change to 'Option 123'

2) If the user selected '2 days ago' in field1 and selected '1 day ago' in field 2, I want the title to change to 'Option 321'

There can be many combinations of this input, I just want a way of evaluating both values and changing the title based on this logic.

Is this possible? Thanks!

0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

Champion

Hi, yes try this code. just wait a second or 2 after changing the drop down values:

  <label>Test Graph</label>
  <search>
    <query>
     |makeresults|eval dt1="$field1$"|eval dt2="$field2$"|table dt1,dt2
    </query>

    <done>
      <eval token="tok_title">if($field1$="1 day ago" AND $field2$="2 days ago","Option 123","yyyy")</eval>
    </done>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="field1" searchWhenChanged="true">
      <label>Select Time Range field1</label>
      <choice value="1 day ago">1 day ago</choice>
      <choice value="2 days ago">2 days ago</choice>
      <default>1 day ago</default>
    </input>
    <input type="dropdown" token="field2" searchWhenChanged="true">
      <label>Select Time Range field2</label>
      <choice value="1 day ago">1 day ago</choice>
      <choice value="2 days ago">2 days ago</choice>
      <default>1 day ago</default>

    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Test Title - $tok_title$</title>

      </chart>
    </panel>
  </row>
</form>

You can use eval with the token values for field1 and field2 in the dummy makeresults eval. I use this just to populate the title token dynamically. For testing purposes I have set something like this - If the user selected '1 day ago' in field1 and selected '2 days ago' in field 2, I want the title to change to 'Option 123' else title is yyy. You just need to retro-fit the eval in the event handler for your specific needs

0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

New Member

Got it. Thank you very much so for this situation, I have many different combinations that will modify the title (Over 30). What do you recommend will be the cleanest approach to do this?

0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

New Member

For example:

Condition 1: if($field1$="1 day ago" AND $field2$="2 days ago","Option 123","yyyy")
Condition 2: if($field1$="2 day ago" AND $field2$="2 days ago","Option 124","yyyy")
Condition 3: if($field1$="3 day ago" AND $field2$="2 days ago","Option 125","yyyy")
Condition 4: if($field1$="4 day ago" AND $field2$="2 days ago","Option 126","yyyy")
Condition 5: if($field1$="5 day ago" AND $field2$="2 days ago","Option 127","yyyy")

I have many of these statements, what do you recommend as the cleanest way to construct this?

0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

New Member

Also, how will this work? Seems the evaluation not happening for nested if statements. if($field1$="1 day ago" AND $field2$="1 day ago","Test1","Test2", if($field1$="1 day ago" AND $field2$="3 days ago","Test3","Test4"))

0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

Champion

Hi,
Nested if statements work in splunk like in most programming language. Your nested if statement needs a tweak. you have a first condition, in which : if true = test1 and if false =test2. Thats how an if statement works if(condtion, action when condition is met, action when condition is false)
Not sure what you are trying to do in the second if statement. it won't even get executed, since you have already provided actions for both meeting as well as not meeting your if condition.
The makeresults dummy query is the best approach you have, in fact it is very hard without understanding your requirements what exactly you are trying to achieve...
It could be worthwhile to think of limiting and forcing the user ti check an option based on the token values, for example
if in field1 user chooses 1 day, then reset field2 to blank AND populate field2 with a range of dropdown values (say 2 days, 3 days, 4 days) based on field 1. So each time the user makes a change in the field1 dropdown values, you reset the field2 token to blank or some generic default value like 'please select field2 values' AND force the user to choose a value for field2 ,based on the field1 values.
Your dummy query using makeresults will still work. In the worst case if there is no other way and you HAVE to execute 30 if conditions, i suggest building a dummy data and testing it in real time search before using it in the dashboard query

0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

New Member

Okay, I have found out what I want to achieve by using case statement. I have a further question, does having a line break cause difference in xml/splunk execution. For example,

<eval token="testToken">case($var1$="Apple" AND $var2$="(producttype=fruit)", "Fruit: Apple", (($var1$="Banana") AND ($var2$="(producttype=fruit)")), "Fruit: Banana")</eval>

The above works fine. I can access the testToken in the title field and it dynamically gets the value. However, when I want to make a line between conditions, for example:

<eval token="testToken">case($var1$="Apple" AND $var2$="(producttype=fruit)", "Fruit: Apple", 
//LINE BREAK
(($var1$="Banana") AND ($var2$="(producttype=fruit)")), "Fruit: Banana")</eval>

I am unable to access testToken in title, it just shows in the title as $testToken$.

Do you know about this?

0 Karma
Highlighted

Re: Evaluating User dropdown options for Splunk Dashboard and dynamically changing title field

Champion

what is the difference between the above 2 queries? Can you be a bit more clear? Or give a mock up of what you need? I am not able to understand what you need

0 Karma