Splunk Search

How to display panels dynamically depends on selection ?

Jouman
Path Finder

Hi All,

I am working on analyzing processing time among 10 devices and categorize all the evnets into 3 categories, including "Max", "Avg" and "PR99" (Which means its processing time in percent 99 in all events) for each device.

Raw data:

CategoryProcessing time(sec)Device id
Max1211
PR991061
Avg701
Max1172
PR991062
Avg712
Max783
PR99773
Avg623
..........

 

I want to display the category into seperated panel only if the category is selected.

Does any one have suggestion  on how to implement this on Splunk? 

For example: if select "Max", "Avg" through some scroll bar

Panel 1:  List "Max" only

CategoryProcessing time(sec)Device id
Max1211
Max1172
Max783
..........


Panel 2: List "Avg" only

CategoryProcessing time(sec)Device id
Avg701
Avg712
Avg623
..........

 

Thank you.

Jounman

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try with the name of the token rather than value

<form version="1.1">
  <fieldset submitButton="true" autoRun="false">
    <input type="multiselect" token="tokShowHidePanel" searchWhenChanged="true">
      <label>Display Level-2 Panel</label>
      <choice value="panelA">A</choice>
      <choice value="panelB">B</choice>
      <choice value="panelC">C</choice>
      <default>panelA</default>
      <change>
        <eval token="tokShowPanelA">mvfind($tokShowHidePanel$,"panelA")</eval>
        <eval token="tokShowPanelB">mvfind($tokShowHidePanel$,"panelB")</eval>
        <eval token="tokShowPanelC">mvfind($tokShowHidePanel$,"panelC")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$tokShowPanelA$">
      <title>Table 1</title>
      <table>
        <search>
          <query>
            | makeresults
            | eval table="Table 1 data"
          </query>
        </search>
      </table>
    </panel>
    <panel depends="$tokShowPanelB$">
      <title>Table 2</title>
      <table>
        <search>
          <query>
            | makeresults
            | eval table="Table 2 data"
          </query>
        </search>
      </table>
    </panel>
    <panel depends="$tokShowPanelC$">
      <title>Table 3</title>
      <table>
        <search>
          <query>
            | makeresults
            | eval table="Table 3 data"
          </query>
        </search>
      </table>
    </panel>
  </row>
</form>

View solution in original post

Jouman
Path Finder

Hi Sir,

Thanks for the reply.
If using this method, the category can be filtered out. However, if I select two categories, the events belong to two categories will be displayed in one panel.

I wish to display the events belong to two or three categories in to seperated panels and pop-out the corresponding panel only if the category is selected.

Does any one have any ideas?
Do I need to change any code in xml?

Thanks.

 

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Create a multi-select dropdown, then in the change handler for the dropdown, set tokens or unset them for each category depending on the presence or absence of the value being selected. Then for each panel, have a depends attribute for the relevant token for what is being displayed in the panel.

0 Karma

Jouman
Path Finder

Hello!

Thanks for your advice.

How can I set/unset tokens for each categories, for example, if I have A,B,C, 3 categories in total? 

i.e., if I select "A" in the multi-selection dropdown, only panel "A" should be visible.
i.e., if I select "A" and "B" in the multi-selection dropdown, both panel "A" and panel "B" can be visible. 

I know I should check tokens in xml as below but I don't have any idea about where/how to set the tokens.
<panel depends="tokenA">
  <search>
  </search>
</panel>
<panel depends="tokenB">
  <search>
  </search>
</panel>
<panel depends="tokenC">
  <search>
  </search>
</panel>

Thank you indeed!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Tokens are referenced with $'s e.g. 

<panel depends="$tokenA$">
  <search>
  </search>
</panel>
<panel depends="$tokenB$">
  <search>
  </search>
</panel>
<panel depends="$tokenC$">
  <search>
  </search>
</panel>

In the change handler of the multi-select, you can set/unset the tokens something like this (assuming your token for the multi-select is called "select")

<change>
  <eval token="tokenA">mvfind($select$,"A")</eval>
  <eval token="tokenB">mvfind($select$,"B")</eval>
  <eval token="tokenC">mvfind($select$,"C")</eval>
</change>

 

0 Karma

Jouman
Path Finder

Hi, 
I try this suggestion and rephrase into my codes as below.
But the 3 panels will not be displayed no matter I select A, B, C sololy, or AB, BC, CA as a pair, or select ABC all.
Therefore, sadly the suggested codes can not work as I expect. 
Does anyone have any further suggestion ?

<input type="multiselect" token="tokShowHidePanel" searchWhenChanged="true">
<label>Display Panel</label>
<choice value="panelA">A</choice>
<choice value="panelB">B</choice>
<choice value="panelC">C</choice>
<default>panelA</default>
<change>
<eval token="tokShowPanelA">mvfind($value$,"A")</eval>
<eval token="tokShowPanelB">mvfind($value$,"B")</eval>
<eval token="tokShowPanelC">mvfind($value$,"C")</eval>
</change>
</input>


<row>
<panel depends="$tokShowPanelA$">
....
</panel>
<row>
<panel depends="$tokShowPanelB$">
....
</panel>
<row>
<panel depends="$tokShowPanelC$">
....
</panel>

Thank you!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Given that your values are "panelA" not "A", you could try this:

<input type="multiselect" token="tokShowHidePanel" searchWhenChanged="true">
<label>Display Panel</label>
<choice value="panelA">A</choice>
<choice value="panelB">B</choice>
<choice value="panelC">C</choice>
<default>panelA</default>
<change>
<eval token="tokShowPanelA">mvfind($value$,"panelA")</eval>
<eval token="tokShowPanelB">mvfind($value$,"panelB")</eval>
<eval token="tokShowPanelC">mvfind($value$,"panelC")</eval>
</change>
</input>
0 Karma

Jouman
Path Finder

Hi all,

I applied the code as following, but it does not work. 
Neither A,B,C panels are displayed no matter what kind of input I select.
It seems the match function is unable to pass in the condition check.
I tried several ways to adjust the match function but it doesn't work still.

Does anyone have any clues about the issue?

---------

<input type="multiselect" token="tokShowHidePanel" searchWhenChanged="true">
<label>Display Level-2 Panel</label>
<choice value="panelA">A</choice>
<choice value="panelB">B</choice>
<choice value="panelC">C</choice>
<default>panelA</default>
<change>
<eval token="tokShowPanelA">mvfind($value$,"panelA")</eval>
<eval token="tokShowPanelB">mvfind($value$,"panelB")</eval>
<eval token="tokShowPanelC">mvfind($value$,"panelC")</eval>
</change>
</input>


<panel depends="$tokShowPanelA$">
<title>Table 1</title>
<table>
....

</table>
</panel>


<panel depends="$tokShowPanelB$">
<title>Table 2</title>
<table>

....

</table>
</panel>

<panel depends="$tokShowPanelC$">
<title>Table 3</title>
<table>

...

</table>
</panel>


Thank you so much.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try with the name of the token rather than value

<form version="1.1">
  <fieldset submitButton="true" autoRun="false">
    <input type="multiselect" token="tokShowHidePanel" searchWhenChanged="true">
      <label>Display Level-2 Panel</label>
      <choice value="panelA">A</choice>
      <choice value="panelB">B</choice>
      <choice value="panelC">C</choice>
      <default>panelA</default>
      <change>
        <eval token="tokShowPanelA">mvfind($tokShowHidePanel$,"panelA")</eval>
        <eval token="tokShowPanelB">mvfind($tokShowHidePanel$,"panelB")</eval>
        <eval token="tokShowPanelC">mvfind($tokShowHidePanel$,"panelC")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$tokShowPanelA$">
      <title>Table 1</title>
      <table>
        <search>
          <query>
            | makeresults
            | eval table="Table 1 data"
          </query>
        </search>
      </table>
    </panel>
    <panel depends="$tokShowPanelB$">
      <title>Table 2</title>
      <table>
        <search>
          <query>
            | makeresults
            | eval table="Table 2 data"
          </query>
        </search>
      </table>
    </panel>
    <panel depends="$tokShowPanelC$">
      <title>Table 3</title>
      <table>
        <search>
          <query>
            | makeresults
            | eval table="Table 3 data"
          </query>
        </search>
      </table>
    </panel>
  </row>
</form>

Jouman
Path Finder

Thank you so much!

I just tried this solution, and it works perfectly.

I can't describe how much I am delighted, thanks again.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

one comment here. You must remember that "depends" and "rejects" look if value has set or not (null vs. non-null, also false is non-null). Basically this means that e.g.

<eval token="foobar">match(str,"foo")</eval>
<eval token="foobar">if(match(str,"foo"),"foo",null())</eval>
<eval token="foobar">mvfind(str,"foo")</eval>

1st one set token foo bar even foo didn't found on str as it return "false". 

2nd one works as expected.

3rd on also works as mvfind returns string or NULL.

 

Also depends use AND between those tokens and rejects use OR.

r. Ismo

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could have a dropdown input with Max, Avg and PR99 to set a token e.g. "selection", then use a where command on your search 

| where Category="$selection$"
0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...