Solved: dynamic valueSuffix tag

fsaporito · ‎12-11-2019

Hello,

I have this checkbox in my dashboard:

<input type="multiselect" token="t_case" searchWhenChanged="true">
      <label>Cases</label>
      <search base="base">
        <query>| dedup Rule</query>
      </search>
      <delimiter> , </delimiter>
      <fieldForLabel>Rule</fieldForLabel>
      <fieldForValue>Rule</fieldForValue>
      <default>FUAA01,NML02,WML01,WML02</default>
      <valuePrefix>count(eval(Rule="</valuePrefix>
      <valueSuffix>")) AS $value$</valueSuffix>
    </input>

the problem is valueSuffix, it seems cannot be "dynamic" (i.e. the suffix is totally missing because it seems it cannot evaluate $value$ and it's totally lost).
this token is evaluated in a chart command and this should be the final output (with two selected values, for example):

chart count(eval(Rule="FUAA01")) AS FUAA101 , count(eval(Rule="NML02")) AS NML02 over date_month by CustomerID

Is there a way to achieve that, only with XML?

thanks,
Fausto

to4kawa · ‎12-22-2019

Dashboard Input:

<input type="multiselect" token="t_case" searchWhenChanged="true">
    <label>Cases</label>
    <fieldForLabel>Rule</fieldForLabel>
    <fieldForValue>case</fieldForValue>
    <search base="base">
    <query> 
| dedup Rule 
| mvcombine Rule 
| eval prefix="count(eval(Rule=\"" 
| eval sufix="\")) AS " 
| mvexpand Rule 
| eval case=prefix.Rule.sufix.Rule 
| table case Rule</query>
    </search>
    <delimiter> </delimiter>
    <default>"count(eval(Rule=""FUAA01"")) AS FUAA01","count(eval(Rule=""NML02"")) AS NML02","count(eval(Rule=""WML01"")) AS WML01","count(eval(Rule=""WML02"")) AS WML02"</default>
    </input>

Query:

 | chart $t_case$ over date_month by CustomerID

My sample XML:

<form>
  <label>dynamic token</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="t_case" searchWhenChanged="true">
      <label>Cases</label>
      <fieldForLabel>Rule</fieldForLabel>
      <fieldForValue>case</fieldForValue>
      <search>
        <query>| makeresults
| eval Rule=split("FUAA01,NML02,WML01,WML02",",")
| mvexpand Rule 
| table Rule
| mvcombine Rule
| eval prefix="count(eval(Rule=\""
| eval sufix="\")) AS "
| mvexpand Rule
| eval case=prefix.Rule.sufix.Rule
| table case Rule</query>
      </search>
      <delimiter> </delimiter>
      <default>"count(eval(Rule=""FUAA01"")) AS FUAA01"</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1y@d"), relative_time(_time,"@d"))
| makecontinuous span=1d _time
| eval Rule=mvindex(split("FUAA01,NML02,WML01,WML02",","),(random() % 4))
| eval CustomerID="ID".(random() % 5 + 1)
| table _time CustomerID Rule
| eval date_month=strftime(_time,"%m")
| chart $t_case$ over date_month by CustomerID</query>
          <earliest>-1d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Hi, @fsaporito
I managed to do it.

View solution in original post

to4kawa · ‎12-22-2019

Dashboard Input:

<input type="multiselect" token="t_case" searchWhenChanged="true">
    <label>Cases</label>
    <fieldForLabel>Rule</fieldForLabel>
    <fieldForValue>case</fieldForValue>
    <search base="base">
    <query> 
| dedup Rule 
| mvcombine Rule 
| eval prefix="count(eval(Rule=\"" 
| eval sufix="\")) AS " 
| mvexpand Rule 
| eval case=prefix.Rule.sufix.Rule 
| table case Rule</query>
    </search>
    <delimiter> </delimiter>
    <default>"count(eval(Rule=""FUAA01"")) AS FUAA01","count(eval(Rule=""NML02"")) AS NML02","count(eval(Rule=""WML01"")) AS WML01","count(eval(Rule=""WML02"")) AS WML02"</default>
    </input>

Query:

 | chart $t_case$ over date_month by CustomerID

My sample XML:

<form>
  <label>dynamic token</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="t_case" searchWhenChanged="true">
      <label>Cases</label>
      <fieldForLabel>Rule</fieldForLabel>
      <fieldForValue>case</fieldForValue>
      <search>
        <query>| makeresults
| eval Rule=split("FUAA01,NML02,WML01,WML02",",")
| mvexpand Rule 
| table Rule
| mvcombine Rule
| eval prefix="count(eval(Rule=\""
| eval sufix="\")) AS "
| mvexpand Rule
| eval case=prefix.Rule.sufix.Rule
| table case Rule</query>
      </search>
      <delimiter> </delimiter>
      <default>"count(eval(Rule=""FUAA01"")) AS FUAA01"</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1y@d"), relative_time(_time,"@d"))
| makecontinuous span=1d _time
| eval Rule=mvindex(split("FUAA01,NML02,WML01,WML02",","),(random() % 4))
| eval CustomerID="ID".(random() % 5 + 1)
| table _time CustomerID Rule
| eval date_month=strftime(_time,"%m")
| chart $t_case$ over date_month by CustomerID</query>
          <earliest>-1d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Hi, @fsaporito
I managed to do it.

fsaporito · ‎01-08-2020

Very very nice solution indeed! Perfect!
Thanks a lot!

dynamic valueSuffix tag

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

dynamic valueSuffix tag

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits