Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to store multiple values in one token and pass into another search

itnewbie
Explorer
‎09-07-2023 01:59 AM

I have "Product Brand" multiselect filter in a Splunk dashboard. It is a dynamic filter rather than static. I also have a panel displaying all product brands. Now, I want another conditional panel to display further information of 3 of the brands in the product brand list if user selects any of these 3. 

I know I have to set a <change> and <condition> tag in XML to toggle between the display of panel and store the selected values. I now write three condition tags with set token like this: 

 

      <change>
        <condition match="A">
          <set token="show_product_panel">true</set>
          <set token="show_product">$value$</set>
        </condition>
        <condition value="B">
          <set token="show_product_panel">true</set>
          <set token="show_product">$value$</set>
        </condition>
        <condition value="C">
          <set token="show_product_panel">true</set>
          <set token="show_product">$value$</set>
        </condition>
        <condition>
          <unset token="show_product_panel"></unset>
          <unset token="show_product"></unset>
        </condition>
      </change>

 

However, I want the $show_product$ to hold multiple values instead of one, as it is a multiselect filter. How should I do so? I have tried something in each of the condition like but won't work. How can I "append" the values into $show_product$? Thanks.

 

<eval token="show_product">if(isnull($show_product$), $value$, $show_product$.", ".$value$)</eval>

 

 

FYI: the $show_product$ will be passed into the conditional panel like this

 

<row depends="$show_product_panel$">
    <panel>
        <chart>
            <search>
                <query>index IN ("A_a", "A_b")
                    | where match(index, "A_" + $subsidiary$)
                    | dedup id sortby _time
                    | eval "Product Brand" = coalesce('someFieldA',
                    'someFieldB')
                    | search "Product Brand" IN ($show_product$)
                    | timechart span=1mon count by "Product Brand"</query>
                <earliest>$field1.earliest$</earliest>
                <latest>$field1.latest$</latest>
            </search>
            <option name="charting.chart">column</option>
            <option name="charting.drilldown">none</option>
            <option name="refresh.display">progressbar</option>
        </chart>
    </panel>
</row>

 

 

FYI: Product Brand XML code snippet:

 

    <input type="multiselect" token="product_brand" searchWhenChanged="true">
      <label>Product Brand</label>
      <fieldForLabel>brand_combine</fieldForLabel>
      <fieldForValue>brand_combine</fieldForValue>
      <search>
        <query>index IN ("A","B")
| eval brand_combine = coalesce('someFieldA','someFieldB')
| search brand_combine != null
| where match(index, "zendesk_ticket_"  + $subsidiary$) 
| dedup brand_combine
| fields brand_combine</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <delimiter>,</delimiter>
      <change>
        <condition match="A">
          <set token="show_product_panel">true</set>
          <set token="show_product">$value$</set>
        </condition>
        <condition value="B">
          <set token="show_product_panel">true</set>
          <set token="show_product">$value$</set>
        </condition>
        <condition value="C">
          <set token="show_product_panel">true</set>
          <set token="show_product">$value$</set>
        </condition>
        <condition>
          <unset token="show_product_panel"></unset>
          <unset token="show_product"></unset>
        </condition>
      </change>
    </input>

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2023 03:08 AM

The product_brand token already holds the chosen values.

You can use the prefix, suffix, valuePrefix, valueSuffix and delimiter options to determine how the token is formatted.

Simple XML Reference - Splunk Documentation

0 Karma
Reply

itnewbie
Explorer
‎09-08-2023 01:39 AM

@ITWhisperer Thanks for the reply. Given I use $product_brand$ in the conditional panel now, I still need to set the condition of displaying the panel. At the <condition> tag, how can I set it to accept multiple values? As the above method only accepts a single value at one time, I want it to be

if $procut_brand$ IN ANY of product brand ["A", "B", "C"], set the display panel to true

and if not in those 3, just don't display. Any nudge in the right direction? Many thanks. 

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...