Dashboards & Visualizations

Dashboard - Using Dropdown to select which month data is displayed

Altoid17
Explorer

Hi All, 

I have 12 months worth of data that is contained on individual separate .csv files within my lookup tables. 
Ie - | inputlookup JanStats.csv & | Inputlookup FebStats.csv etc

I have a dashboard that has about 12 different panels each showing different stats and visuals all coming from the one lookup table.

Ie-  one panel is showing how many hours spent in which category :

| inputlookup JanStats.csv
| stats sum(Duration) as total by Entry

Instead of creating 12 different monthed dashboards with all the same panels, I want to be able to use a drop down input button to select the month and have that months data from the individual lookup to display across the 12 panels on the one dash. 

I started mucking around with this below, which works as such, but it is only showing the 1 panel search..where as i have 12 panels to search each time the drop down is selected - i am struggaling to figure out how to add in the extra panels i have ( they are of similar searchs, ie stats sum(Recovery) by User.  

 

<form>

  <label>Drop Down Testing</label>

  <fieldset submitButton="false"></fieldset>

  <row>

    <panel>

      <input type="dropdown" token="Month" searchWhenChanged="true">

        <choice value="1">January</choice>

        <choice value="2">February</choice>

        <choice value="3">March</choice>

        <default></default>

        <change>

          <condition value="1">

            <set token="new_search">| inputlookup JanStats.csv  | stats sum(Duration) AS total by Entry  | table total</set>

          </condition>

          <condition value="2">

            <set token="new_search">| inputlookup FebStats.csv  | stats sum(Duration) AS total by Entry  | table total</set>

          </condition>

          <condition value="3">

            <set token="new_search">| inputlookup MarchStats.csv  | stats sum(Duration) AS total by Entry  | table total</set>

          </condition>

        </change>

      </input>

      <single>

        <search>

          <query>$new_search$</query>

          <earliest>-4h@m</earliest>

          <latest>now</latest>

        </search>

        <option name="colorMode">block</option>

        <option name="drilldown">all</option>

        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>

        <option name="useColors">1</option>

      </single>

    </panel>

  </row>

</form>

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Here is a starting point for you. It auto generates the dropdown values for you. Rather than set the search string in the input, just set the month name, then in each of your panels, you will do

| inputlookup $Month$Stats.csv....

and that will replace the $Month$ with whatever you pick from the drop down.

This example shows you how you can use a base search to optimise the dashboard rather than having all 12 panels do the same inputlookup and stats. This may work for you, but it is a useful technique to reduce the load of the dashboard.

<form>
  <label>Drop Down Testing</label>
  <fieldset submitButton="false"></fieldset>
  <search id="my_base_search">
    <query>
    | inputlookup $Month$Stats.csv
    | stats sum(Duration) AS total avg(Duration) AS average min(Duration) AS minimum max(Duration) AS maximum by Entry</query>
    <earliest>-4h@m</earliest>
    <latest>now</latest>
  </search>

  <row>
    <panel>
      <input type="dropdown" token="Month" searchWhenChanged="true">
        <label>Month</label>
        <fieldForLabel>full_month</fieldForLabel>
        <fieldForValue>short_month</fieldForValue>
        <search>
          <query>| makeresults
| eval m=mvrange(1,13,1)
| mvexpand m
| eval m=strptime("2022-".m."-02", "%F")
| eval short_month=strftime(m, "%b")
| eval full_month=strftime(m, "%B")</query>
        </search>
      </input>
      <single>
        <search>
          <query>| inputlookup $Month$Stats.csv  | stats sum(Duration) AS total by Entry  | table total</query>
          <earliest>-4h@m</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Total</title>
        <search base="my_base_search">
          <query>| table average</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
      <single>
        <title>Average</title>
        <search base="my_base_search">
          <query>| table minimum</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
      <single>
        <title>Minimum</title>
        <search base="my_base_search">
          <query>| table total</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
      <single>
        <title>Maximum</title>
        <search base="my_base_search">
          <query>| table maximum</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</form>

 

 

View solution in original post

0 Karma

Altoid17
Explorer

Thanks for the quick reply, i will have a look and see if the above is a more efficient way of doing things.. It seems like it may be. 

I did manage to get my code working by adding a new line to the source and then by changing the panels search to reflect $new_search$ & $new_search1$ - then when utilising the drop down, it changes both panels on each different month as wanted .. now just need to add all the rest of the panels and months.

<set token="new_search">| inputlookup Janstats.csv  | stats count by Priority </set>

<set token="new_search1">| inputlookup Janstats.csv | stats sum(Duration) AS total by Entry  </set>

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Here is a starting point for you. It auto generates the dropdown values for you. Rather than set the search string in the input, just set the month name, then in each of your panels, you will do

| inputlookup $Month$Stats.csv....

and that will replace the $Month$ with whatever you pick from the drop down.

This example shows you how you can use a base search to optimise the dashboard rather than having all 12 panels do the same inputlookup and stats. This may work for you, but it is a useful technique to reduce the load of the dashboard.

<form>
  <label>Drop Down Testing</label>
  <fieldset submitButton="false"></fieldset>
  <search id="my_base_search">
    <query>
    | inputlookup $Month$Stats.csv
    | stats sum(Duration) AS total avg(Duration) AS average min(Duration) AS minimum max(Duration) AS maximum by Entry</query>
    <earliest>-4h@m</earliest>
    <latest>now</latest>
  </search>

  <row>
    <panel>
      <input type="dropdown" token="Month" searchWhenChanged="true">
        <label>Month</label>
        <fieldForLabel>full_month</fieldForLabel>
        <fieldForValue>short_month</fieldForValue>
        <search>
          <query>| makeresults
| eval m=mvrange(1,13,1)
| mvexpand m
| eval m=strptime("2022-".m."-02", "%F")
| eval short_month=strftime(m, "%b")
| eval full_month=strftime(m, "%B")</query>
        </search>
      </input>
      <single>
        <search>
          <query>| inputlookup $Month$Stats.csv  | stats sum(Duration) AS total by Entry  | table total</query>
          <earliest>-4h@m</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Total</title>
        <search base="my_base_search">
          <query>| table average</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
      <single>
        <title>Average</title>
        <search base="my_base_search">
          <query>| table minimum</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
      <single>
        <title>Minimum</title>
        <search base="my_base_search">
          <query>| table total</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
      <single>
        <title>Maximum</title>
        <search base="my_base_search">
          <query>| table maximum</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</form>

 

 

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...