Solved: Splunk dashboard : Text input token is caching the...

bhavika100 · ‎07-22-2021

I have a dashboard with multiple inputs. These inputs are like filters on top of basic search. I want

1. if phone mdn and both devicemdn is provided then its a OR between them on top of the base search

base search | search phonemdn=<value> OR devicemdn=<value>

2. if only phone mdn is provided then should be

base search | search phonemdn=<value>

3. if only device mdn is provided then should be

base search | search devicemdn=<value>

Here is my dashboard xml:

<form>
  <label>Dashboard</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="text" token="phonemdn" searchWhenChanged="false">
      <label>PHONE MDN</label>
      <default></default>
      <change>
        <condition>
          <eval token="phonemdn_exp">if(len(trim($value$)) == 0,"","| search phonemdn=".$value$)</eval>
        </condition>
      </change>
    </input>
    <input type="text" token="devicemdn">
      <label>DEVICE MDN</label>
      <default></default>
      <change>
        <condition>
          <eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="logtype" searchWhenChanged="true">
      <label>LOG TYPE</label>
      <choice value="*">ALL</choice>
      <choice value="server">Watch</choice>
      <choice value="application">Application</choice>
      <change>
        <condition value="server">
          <set token="filter_search_base">| search index=new | spath app | search app=newapp </set>
          <set token="logtype_lab">logtype=server</set>
          <set token="logtype_exp">| search source=Band | eval source="Band"</set>
        </condition>
        <condition value="application">
          <set token="filter_search_base">| search index=main | spath app | search app!=simulator</set>
          <set token="logtype_lab">logtype=Application</set>
          <set token="logtype_exp">| search source=Application</set>
        </condition>
        <condition value="*">
          <set token="filter_search_base">|multisearch
                [search index=new | spath app | search app=newapp]
                [search index=main | spath app | search app!=simulator]</set>
          <set token="logtype_lab">All Source</set>
          <set token="logtype_exp"></set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>SEARCHING:  $logtype_lab$ $phonemdn_exp$ $devicemdn_exp$</title>
        <search>
          <query>$filter_search_base$ $phonemdn_exp$ $devicemdn_exp$</query>
          <earliest>$timefield.earliest$</earliest>
          <latest>$timefield.latest$</latest>
        </search>
    </panel>
  </row>
</form>

So my first query always works but later I feel like the input value for phonemdn and devicemdn is getting cached and future query didn't work as expected.

if I have input both phonemdn and devicemdn : query is base search | search phonemdn=<value> OR devicemdn=<value>

then if I delete value from phone mdn and only keep devicemdn then,

actual query : base search OR devicemdn=<value>

expected query : base search | search devicemdn=<value>

I feel like somehow the phonemdn value from the first query is getting cached somehow. Please help me to resolve this issue. let me know if you need more information. thanks!!

kamlesh_vaghela · ‎07-23-2021

@bhavika100

Generally I'm using search approach for this kind of situations. Can you please try this?

<form>
  <label>Dashboard</label>
  <search>
    <done>
      <set token="condition">$result.search$</set>
    </done>
    <query>| makeresults | eval phonemdn="$tkn_phonemdn$",devicemdn="$tkn_devicemdn$" | eval search=case(len(trim(phonemdn))==0 AND len(trim(devicemdn))==0,"", len(trim(phonemdn))==0 AND len(trim(devicemdn))!=0,"| search devicemdn=".devicemdn,len(trim(phonemdn))!=0 AND len(trim(devicemdn))==0,"| search phonemdn=".phonemdn, len(trim(phonemdn))!=0 AND len(trim(devicemdn))!=0,"| search phonemdn=".phonemdn." OR devicemdn=".devicemdn )</query>
  </search>
  <fieldset submitButton="true" autoRun="true">
    <input type="text" token="phonemdn" searchWhenChanged="false">
      <label>PHONE MDN</label>
      <default></default>
      <change>
        <set token="tkn_phonemdn">$value$</set>
      </change>
    </input>
    <input type="text" token="devicemdn">
      <label>DEVICE MDN</label>
      <default></default>
      <change>
        <set token="tkn_devicemdn">$value$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>SEARCHING: $condition$</title>
      <table>
        <search>
          <query>filter_search_base $condition$</query>
        </search>
      </table>
    </panel>
  </row>
</form>

$condition$ will have your required condition and do necessary changes in condition for your required panel.

Thanks
KV
▄︻̷̿┻̿═━一 😎

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

ITWhisperer · ‎07-23-2021

Instead of this

<eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>

try this

<eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($form.phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>

bhavika100 · ‎07-23-2021

@ITWhisperer ..Thanks for checking. I tried this but it didn't work for me.

kamlesh_vaghela · ‎07-23-2021

@bhavika100

Generally I'm using search approach for this kind of situations. Can you please try this?

<form>
  <label>Dashboard</label>
  <search>
    <done>
      <set token="condition">$result.search$</set>
    </done>
    <query>| makeresults | eval phonemdn="$tkn_phonemdn$",devicemdn="$tkn_devicemdn$" | eval search=case(len(trim(phonemdn))==0 AND len(trim(devicemdn))==0,"", len(trim(phonemdn))==0 AND len(trim(devicemdn))!=0,"| search devicemdn=".devicemdn,len(trim(phonemdn))!=0 AND len(trim(devicemdn))==0,"| search phonemdn=".phonemdn, len(trim(phonemdn))!=0 AND len(trim(devicemdn))!=0,"| search phonemdn=".phonemdn." OR devicemdn=".devicemdn )</query>
  </search>
  <fieldset submitButton="true" autoRun="true">
    <input type="text" token="phonemdn" searchWhenChanged="false">
      <label>PHONE MDN</label>
      <default></default>
      <change>
        <set token="tkn_phonemdn">$value$</set>
      </change>
    </input>
    <input type="text" token="devicemdn">
      <label>DEVICE MDN</label>
      <default></default>
      <change>
        <set token="tkn_devicemdn">$value$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>SEARCHING: $condition$</title>
      <table>
        <search>
          <query>filter_search_base $condition$</query>
        </search>
      </table>
    </panel>
  </row>
</form>

$condition$ will have your required condition and do necessary changes in condition for your required panel.

Thanks
KV
▄︻̷̿┻̿═━一 😎

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

bhavika100 · ‎07-23-2021

@kamlesh_vaghela Thanks for quick response. I tried this solution and after some minor change it worked for me.

Splunk dashboard : Text input token is caching the previously entered value.

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!