Splunk Search

How to change base search with token?

splunkkid
Path Finder

Hello,

I have several different type of searches and made all of those as base search.

 

And now I want to make input token to decide which base search to use for my post process search.

 

I tried like below if this would work, but it doesn't work.

Is there any way to make it possible??

 

<form>
  <label>test</label>
  <search id="base1">
    <query>
MYSEARCH1
    </query>
    <done>
      <condition>
        <set token="mysid1">$job.sid$</set>
      </condition>
    </done>
    <earliest>$global_time.earliest$</earliest>
    <latest>$global_time.latest$</latest>
  </search>
  <search id="base2">
    <query>
MYSEARCH1
    </query>
    <done>
      <condition>
        <set token="mysid2">$job.sid$</set>
      </condition>
    </done>
    <earliest>$global_time.earliest$</earliest>
    <latest>$global_time.latest$</latest>
  </search>
  <search id="base3">
    <query>
MYSEARCH1
    </query>
    <done>
      <condition>
        <set token="mysid3">$job.sid$</set>
      </condition>
    </done>
    <earliest>$global_time.earliest$</earliest>
    <latest>$global_time.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="global_time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok">
      <label>Choose sid</label>
      <choice value="mysid1">sid1</choice>
      <choice value="mysid2">sid2</choice>
      <choice value="mysid3">sid3</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob $tok$ | table name</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Labels (1)
Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@splunkkid 

Can you please try this?

<form>
  <label>base_search_sid</label>
  <search id="base1">
    <query>index="_internal" | stats count by sourcetype </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid1">$job.sid$</set>
      <set token="mysidname1">base1</set>
    </done>
  </search>
  <search id="base2">
    <query>index="_internal" | stats count by source </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid2">$job.sid$</set>
      <set token="mysidname2">base2</set>
    </done>
  </search>
  <search id="base3">
    <query>index="_internal" | stats count by sourcetype,source </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid3">$job.sid$</set>
      <set token="mysidname3">base3</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tok">
      <label>tok</label>
      <fieldForLabel>mysidname</fieldForLabel>
      <fieldForValue>mysid</fieldForValue>
      <search>
        <query>| makeresults | eval mysid="$mysid1$|$mysid2$|$mysid3$", mysid=split(mysid,"|"),mysidname="$mysidname1$|$mysidname2$|$mysidname3$", mysidname=split(mysidname,"|"), tmp=mvzip(mysid,mysidname)| stats count by tmp | eval mysid=mvindex(split(tmp,","),0),mysidname=mvindex(split(tmp,","),1) | table mysid mysidname</query>
      </search>
      <change>
        <set token="tokname">$result.$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        mysid1 = $mysid1$ <br/>
        mysid2 = $mysid2$ <br/>
        mysid3 = $mysid3$ <br/>
        mysidname1 = $mysidname1$ <br/>
        mysidname2 = $mysidname2$ <br/>
        mysidname3 = $mysidname3$ <br/>
        tok = $tok$ <br />
        mysidname3 = $mysidname3$ <br/>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob "$tok$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@splunkkid 

Can you please try this?

<form>
  <label>base_search_sid</label>
  <search id="base1">
    <query>index="_internal" | stats count by sourcetype </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid1">$job.sid$</set>
    </done>
  </search>
  <search id="base2">
    <query>index="_internal" | stats count by source </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid2">$job.sid$</set>
    </done>
  </search>
  <search id="base3">
    <query>index="_internal" | stats count by sourcetype,source </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid3">$job.sid$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tok">
      <label>tok</label>
      <fieldForLabel>mysid</fieldForLabel>
      <fieldForValue>mysid</fieldForValue>
      <search>
        <query>| makeresults | eval mysid="$mysid1$|$mysid2$|$mysid3$", mysid=split(mysid,"|") | stats count by mysid</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        mysid1 = $mysid1$ <br/>
        mysid2 = $mysid2$ <br/>
        mysid3 = $mysid3$ <br/>
        tok = $tok$
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob "$tok$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

splunkkid
Path Finder

Hello,

I tried and it works fine. So I upvoted

 

But since the job sid is kind of long and hard to understand, I understand you added html tag in the middle of the row to let users know.

 

Is there any way to name for each individual sid in the input section?

Thank you

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@splunkkid 

Can you please try this?

<form>
  <label>base_search_sid</label>
  <search id="base1">
    <query>index="_internal" | stats count by sourcetype </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid1">$job.sid$</set>
      <set token="mysidname1">base1</set>
    </done>
  </search>
  <search id="base2">
    <query>index="_internal" | stats count by source </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid2">$job.sid$</set>
      <set token="mysidname2">base2</set>
    </done>
  </search>
  <search id="base3">
    <query>index="_internal" | stats count by sourcetype,source </query>
    <earliest>-h@h</earliest>
    <latest>now</latest>
    <done>
      <set token="mysid3">$job.sid$</set>
      <set token="mysidname3">base3</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tok">
      <label>tok</label>
      <fieldForLabel>mysidname</fieldForLabel>
      <fieldForValue>mysid</fieldForValue>
      <search>
        <query>| makeresults | eval mysid="$mysid1$|$mysid2$|$mysid3$", mysid=split(mysid,"|"),mysidname="$mysidname1$|$mysidname2$|$mysidname3$", mysidname=split(mysidname,"|"), tmp=mvzip(mysid,mysidname)| stats count by tmp | eval mysid=mvindex(split(tmp,","),0),mysidname=mvindex(split(tmp,","),1) | table mysid mysidname</query>
      </search>
      <change>
        <set token="tokname">$result.$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        mysid1 = $mysid1$ <br/>
        mysid2 = $mysid2$ <br/>
        mysid3 = $mysid3$ <br/>
        mysidname1 = $mysidname1$ <br/>
        mysidname2 = $mysidname2$ <br/>
        mysidname3 = $mysidname3$ <br/>
        tok = $tok$ <br />
        mysidname3 = $mysidname3$ <br/>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob "$tok$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

splunkkid
Path Finder

Hello,

Thank you for your help. It works!

 

But I have a furthere question.

When I change a slightly a bit of xml code in dashboard and come back to see my ui or refresh my dashboard, the input part shows me sid .

I guess this is because it takes some time to search what I need and mvzip/index command process. Please check the screen shot I attached.

 

Is there any way to solve this problem?

Thank you

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@splunkkid 

When you edit and save the dashboard your query string parameters will be old one. And here we are using SIDs to populate dropdown. SO whatever SIDs generated after saved will be in dropdown but not that one which is in query string. But as it is in query string, the component should display the value as selected. That's why you are able to see last selected value after edit and saving/cancel.

more...

When you edit xml it will call editxml to edit url.

like: ..../mydashboard/editxml OR ..../mydashboard/edit

and with this url it will also pass the tokens of dashboard as parameter.

..../mydashboard/editxml?form.tok=admin.....
..../mydashboard/edit?form.tok=admin.....

This will show you token populated with passed parameter. In our case the SID which is expired or invalid for current dashboard in edit mode. 

if you open just this by manually removing the params. It will show you un selected dropdown.

..../mydashboard/editxml

..../mydashboard/edit 

After this when you save or cancel the dashboard will load as fresh page.

And the same thing is handled by Splunk through Navigation Menus. Splunk will open .../mydashboard without any parameters. So It's fresh.

 

In our case when all three base search will executed, the SIDs will be populated in dropdown. And yes, if these searches taking time the dropdown will take time. 

🙂

I hope I'm able understand you.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

splunkkid
Path Finder

Thank you very much!

 

This helped me a lot!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!