Solved: Re: Help with using comparison sign in tokens

jip31 · ‎06-06-2019

Hello
I use 2 tokens in the XML below, I need to use comparison sign like > and < in this token.
I would like also to have the possibility to use AND or OR between the 2 tokens.
Could you help me with an easier solution?

<form>
  <label>Hardware Monitoring - Battery details</label>
  <fieldset submitButton="true">
    <input type="text" token="tok_cycle" searchWhenChanged="true">
      <label>CycleCount</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_health" searchWhenChanged="true">
      <label>HealthState</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| inputlookup tablet_host.csv 
| lookup PanaBatteryStatus.csv "Hostname00" as host OUTPUT BatteryTemp00 BatteryModel00 CycleCount00 HealthState00 LastRecalibration00 ManufactureDate00 DesignCapacity00 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| stats values(SITE) as SITE values(BatteryModel00) as BatteryModel values(CycleCount00) as CycleCount values(HealthState00) as HealthState values(LastRecalibration00) as LastRecalibration values(ManufactureDate00) as ManufactureDate values(DesignCapacity00) as DesignCapacity by host 
| search CycleCount=$tok_cycle$ 
| search HealthState=$tok_health$ 
| sort +host</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

FrankVl · ‎06-07-2019

If you want to be able to type the comparison operator into your text input, then you need to leave out the comparison operator from your search query.

You now have | search CycleCount=$tok_cycle$ and if you type >300 in the tok_cycle input, then your search becomes: | search CycleCount=>300 which is an invalid condition, so it returns 0 results.

You can do: | search CycleCount$tok_cycle$, then typing >300 in the tok_cycle input will work. Downside is that if you want to search for =300 you have to also explicitly type that = in the input box.

You could also add a dropdown to select the operator and a text box just for the value and then do:

| search CycleCount$operator$$tok_cycle$

View solution in original post

FrankVl · ‎06-07-2019

If you want to be able to type the comparison operator into your text input, then you need to leave out the comparison operator from your search query.

You now have | search CycleCount=$tok_cycle$ and if you type >300 in the tok_cycle input, then your search becomes: | search CycleCount=>300 which is an invalid condition, so it returns 0 results.

You can do: | search CycleCount$tok_cycle$, then typing >300 in the tok_cycle input will work. Downside is that if you want to search for =300 you have to also explicitly type that = in the input box.

You could also add a dropdown to select the operator and a text box just for the value and then do:

| search CycleCount$operator$$tok_cycle$

jip31 · ‎06-07-2019

perfect!!! thanks

jip31 · ‎06-07-2019

Franck last question
it works perfectly when I have just a token in my dashboard
when I use 2 tokens :
| search CycleCount$tok_cycle$
| search CycleCount$tok_health$
it seems that its only possible to do a filter comparison with the first token
What do you think??

FrankVl · ‎06-11-2019

Why would it only be possible with the first token? If you made it work for one token, you can follow the exact same approach for any additional token. How exactly have you solved it now? With a separate input to select the operator? Or by typing the operator into the search box itself?

harshpatel · ‎06-07-2019

@jip31 isn't $tok_health$ supposed to filter another field? You are filtering the same field again which is filtered by $tok_cycle$ so in some cases, the conflict will occur. If you want to filter the same field with tokens then why not have only one token combined of two?

jip31 · ‎06-07-2019

oh thanks its a copy paste issue!!

FrankVl · ‎06-07-2019

You mean you want to do something like | search CycleCount<$tok_cycle$ OR HealthState>$tok_health$ or so?

You can simply do that as long as you edit the panel's search query from the GUI. If you want to manually edit the XML, you need to use the html entities for > and < instead to make it work:
Instead of > use >
Instead of < use <

jip31 · ‎06-07-2019

Not at all
What I need is tp put a > or < sign in my token input in order for example to display events where cycle > 300

FrankVl · ‎06-07-2019

Right, that wasn't very clear from your question to be honest. I'll add a new answer.

jip31 · ‎06-07-2019

OK
Franck last question
it works perfectly when I have just a token in my dashboard
when I use 2 tokens :
| search CycleCount$tok_cycle$
| search CycleCount$tok_health$
it seems that its only possible to do a filter comparison with the first token
What do you think??

Help with using comparison sign in tokens

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!