- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to add "starting the search" to the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to implement some options to show/hide panels in a dashbaord.
Currently the plan to have an option for each panel at the top of the dashboard, so that Splunk users can decide what they want to see.
< input type="checkbox" token="panel_1" searchWhenChanged="true">
<label>Overview</label>
<choice value="true">Show</choice>
<change>
<condition label="Show">
<set token="panel_1">true</set>
</condition>
</change>
<default>true</default>
</input>
< panel depends="$panel_1$">
As far as I understand this, Splunk is running ALL searches when I open the dashboard, no matter what is selected in this option. Is it possible to only start the search of a panel, when the user selects the show option? This would reduce loading times and load caused by the dashboard.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HeinzWaescher,
Basically your search meeting the token criteria before your depends clause.
so In you panel query add your token in eval statement so that it will wait for input and not run the query until depends token is set.
try this:
< input type="checkbox" token="panel_1" searchWhenChanged="true">
<label>Overview</label>
<choice value="true">Show</choice>
<change>
<condition label="Show">
<set token="panel_1">true</set>
</condition>
</change>
<default>true</default>
</input>
< panel depends="$panel_1$">
:
:
<query> index=<indexname>|eval temp="$panel_1$"|...remaining query|table <required fields></query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HeinzWaescher,
Basically your search meeting the token criteria before your depends clause.
so In you panel query add your token in eval statement so that it will wait for input and not run the query until depends token is set.
try this:
< input type="checkbox" token="panel_1" searchWhenChanged="true">
<label>Overview</label>
<choice value="true">Show</choice>
<change>
<condition label="Show">
<set token="panel_1">true</set>
</condition>
</change>
<default>true</default>
</input>
< panel depends="$panel_1$">
:
:
<query> index=<indexname>|eval temp="$panel_1$"|...remaining query|table <required fields></query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very nice approach to add a "useless" token into the search query 🙂 That solves my issue, thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
glad to help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you looked below two answers?
https://answers.splunk.com/answers/222492/how-can-i-have-tabs-with-different-views-in-a-dash.html
https://answers.splunk.com/answers/349981/how-to-combine-2-dashboards-each-with-multiple-pan.html
let me know if this helps!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
