Splunk Search

How to create a button on the dashboard to control when a search is executed?

johnraftery
Communicator

Hi,

I have a search in my dashboard that is quiet expensive - it can take over a minute to complete. The result is shown in a pie chart:

          <chart>
            <search>
              <query>...</query>
            </search>
            <option name="charting.chart">pie</option>
          </chart>

Because the search takes so long and is needed infrequently, I don't want it to run automatically. I want to have a button in the dashboard, and only when the button is clicked should the search be run. Is this possible?

Thanks for reading,
John Raftery

0 Karma
1 Solution

johnraftery
Communicator

For anyone who is attempting the same thing, here is the solution I came up with. It uses a dropdown menu, rather than a button, so if anyone has a solution that uses a button, please share 🙂

      <input type="dropdown" token="run_consolidations_dropdown" searchWhenChanged="true">
        <label>Run query</label>
        <choice value="1">No</choice>
        <choice value="2">Yes</choice>
        <default>1</default>
        <change>
          <condition value="1">
            <unset token="run_consolidations"></unset>
          </condition>
          <condition value="2">
            <set token="run_consolidations">dbxquery</set>
          </condition>
        </change>
      </input>
      <chart depends="$run_consolidations$">
        <search>
          <query>| $run_consolidations$ connection=......

The run_consolidations token initially hides the chart and stops the query from running. When set by the dropdown, the chart is shown and query is run.

View solution in original post

johnraftery
Communicator

For anyone who is attempting the same thing, here is the solution I came up with. It uses a dropdown menu, rather than a button, so if anyone has a solution that uses a button, please share 🙂

      <input type="dropdown" token="run_consolidations_dropdown" searchWhenChanged="true">
        <label>Run query</label>
        <choice value="1">No</choice>
        <choice value="2">Yes</choice>
        <default>1</default>
        <change>
          <condition value="1">
            <unset token="run_consolidations"></unset>
          </condition>
          <condition value="2">
            <set token="run_consolidations">dbxquery</set>
          </condition>
        </change>
      </input>
      <chart depends="$run_consolidations$">
        <search>
          <query>| $run_consolidations$ connection=......

The run_consolidations token initially hides the chart and stops the query from running. When set by the dropdown, the chart is shown and query is run.

gyslainlatsa
Motivator

hi,

try to use this code in your code

<form>
  <label>Internal_Source</label>
 <row>
    <panel>  
      <input type="radio" token="" searchWhenChanged="true">
        <choice value="1">Launch Request</choice>
        <default></default>

        <change>
          <condition value="1">
            <set token="new_search"> index=_internal |stats count by source </set>
          </condition>
        </change>
      </input>

      <chart>
        <search>
          <query>$new_search$</query>
          <earliest>-4h@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
  </row>
</form>

Add to your code, you will have a final code like this.

<row>
     <panel>

<input type="radio" token="" searchWhenChanged="true">
        <choice value="1">Launch Request</choice>
        <default></default>

        <change>
          <condition value="1">
            <set token="new_search">| dbxquery connection=$host_token$ query="SELECT      rsk.M_LABEL Risk
 FROM        LIUTABLE_DBF utable     
 LEFT JOIN LIENG_DBF eng ON utable.M_UT_KEY=eng.M_UT_KEY     
 LEFT JOIN LIRSKCFG_DBF rsk ON eng.M_RSK_KEY=rsk.M_KEY               
 LEFT JOIN LICTPL_DBF first_ctp ON utable.M_VAR_KEY=first_ctp.M_KEY         
 LEFT JOIN LICONSOM_DBF first_consom ON rsk.M_TREE=first_consom.M_TLABEL     
 LEFT JOIN LICONSOL_DBF first_consol ON first_consom.M_INDEX=first_consol.M_CONSO AND utable.M_VAR_KEY=first_consol.M_KEY                                 
 LEFT JOIN LIGTB_DBF second_gtb ON utable.M_GTB_KEY=second_gtb.M_KEY     
 LEFT JOIN LICTPL_DBF second_ctp ON second_gtb.M_VAR_KEY=second_ctp.M_KEY                
 LEFT JOIN LICONSOM_DBF second_consom ON rsk.M_TREE2=second_consom.M_TLABEL     
 LEFT JOIN LICONSOL_DBF second_consol ON second_consom.M_INDEX=second_consol.M_CONSO AND second_gtb.M_VAR_KEY=second_consol.M_KEY                               
 LEFT JOIN LIGRPCFG_DBF second_grpcfg ON second_gtb.M_GRP_KEY=second_grpcfg.M_KEY" shortnames=1 | stats count by RISK  </set>
          </condition>
        </change>
      </input>

       <chart>
         <title>Consolidations in engine</title>
         <search>
           <query>$new_search$</query>
         </search>
         <option name="charting.chart">pie</option>
         <option name="height">600</option>
         <drilldown>
           <set token="dummy_token">0</set>
         </drilldown>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
         <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
         <option name="charting.axisTitleX.visibility">visible</option>
         <option name="charting.axisTitleY.visibility">visible</option>
         <option name="charting.axisTitleY2.visibility">visible</option>
         <option name="charting.axisX.scale">linear</option>
         <option name="charting.axisY.scale">linear</option>
         <option name="charting.axisY2.enabled">0</option>
         <option name="charting.axisY2.scale">inherit</option>
         <option name="charting.chart.bubbleMaximumSize">50</option>
         <option name="charting.chart.bubbleMinimumSize">10</option>
         <option name="charting.chart.bubbleSizeBy">area</option>
         <option name="charting.chart.nullValueMode">gaps</option>
         <option name="charting.chart.showDataLabels">none</option>
         <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
         <option name="charting.chart.stackMode">default</option>
         <option name="charting.chart.style">shiny</option>
         <option name="charting.drilldown">all</option>
         <option name="charting.layout.splitSeries">0</option>
         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
         <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
         <option name="charting.legend.placement">right</option>
       </chart>
     </panel>
   </row>
 </form>

try and tell me if it works.

0 Karma

johnraftery
Communicator

I don't think it's possible to have a token inside a token, is it? My query starts with
"| dbxquery connection=$host_token$ "
$host_token$ will not be evaluated if it's inside another token, right?

0 Karma

gyslainlatsa
Motivator

if it will be evaluated, try to execute before seeking to conclude,
I have had to work like this.

only the first token will block the request does not launch automatically.
Once you're gonna approved the execution of the query, the query will run without problems

0 Karma

johnraftery
Communicator

I've tried this in the past, and it didn't work.

0 Karma

johnraftery
Communicator

My solution above was similar to yours, the main difference was that the value of the token was just "dbxquery", rather than the whole query string. So when the token is unset, the query cannot run. Thanks for your suggestion.

0 Karma

gyslainlatsa
Motivator

you are welcome

0 Karma

gyslainlatsa
Motivator

i johnraftery,

it's possible, insert one token in your query.

please post your whole code and i try to help you.

0 Karma

johnraftery
Communicator

Thanks very much - here is my code

  <row>
    <panel>
      <chart>
        <title>Consolidations in engine</title>
        <search>
          <query>| dbxquery connection=$host_token$ query="SELECT      rsk.M_LABEL Risk
FROM        LIUTABLE_DBF utable     
LEFT JOIN LIENG_DBF eng ON utable.M_UT_KEY=eng.M_UT_KEY     
LEFT JOIN LIRSKCFG_DBF rsk ON eng.M_RSK_KEY=rsk.M_KEY               
LEFT JOIN LICTPL_DBF first_ctp ON utable.M_VAR_KEY=first_ctp.M_KEY         
LEFT JOIN LICONSOM_DBF first_consom ON rsk.M_TREE=first_consom.M_TLABEL     
LEFT JOIN LICONSOL_DBF first_consol ON first_consom.M_INDEX=first_consol.M_CONSO AND utable.M_VAR_KEY=first_consol.M_KEY                                 
LEFT JOIN LIGTB_DBF second_gtb ON utable.M_GTB_KEY=second_gtb.M_KEY     
LEFT JOIN LICTPL_DBF second_ctp ON second_gtb.M_VAR_KEY=second_ctp.M_KEY                
LEFT JOIN LICONSOM_DBF second_consom ON rsk.M_TREE2=second_consom.M_TLABEL     
LEFT JOIN LICONSOL_DBF second_consol ON second_consom.M_INDEX=second_consol.M_CONSO AND second_gtb.M_VAR_KEY=second_consol.M_KEY                               
LEFT JOIN LIGRPCFG_DBF second_grpcfg ON second_gtb.M_GRP_KEY=second_grpcfg.M_KEY" shortnames=1 | stats count by RISK</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="height">600</option>
        <drilldown>
          <set token="dummy_token">0</set>
        </drilldown>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...