How to dynamically send the token value to the sea...

sbollam · ‎09-03-2020

Hello,

I have dashboard which contains three inputs and a single panel which one search.

input 1: It's a dropdown with following name and values:
a: 1
b: 2

input2: It's a dropdown with following name and values:
Jan: "earliest=01/01/2020 00:00:00" latest=01/01/2020 24:00:00"
Feb: "earliest=01/02/2020 00:00:00" latest=01/02/2020 24:00:00"

input3: it's time

when i choose input1 as 1, input2 should be shown and input3 needs to be hidden and whatever the value i choose from input2(month) need to be passed to the search.
when i choose input1 as 2, input3 should be shown and input2 needs to be hidden and whatever the value i choose from input3(time) need to be passed to the search.

niketn · ‎09-05-2020

@sbollam please try the following run anywhere example. See if it fits your needs

<form>
  <label>Dynamically Send the Token</label>
  <init>
    <unset token="runSearch"></unset>
    <unset token="showInput2"></unset>
    <unset token="showInput3"></unset>
  </init>
  <fieldset submitButton="false">
    <input type="dropdown" token="input1" searchWhenChanged="true">
      <label>input1</label>
      <choice value="1">1</choice>
      <choice value="2">2</choice>
      <change>
        <condition value="1">
          <set token="showInput2">true</set>
          <unset token="showInput3"></unset>
          <unset token="runSearch"></unset>
          <unset token="form.input3"></unset>
        </condition>
        <condition value="2">
          <set token="showInput3">true</set>
          <unset token="showInput2"></unset>
          <unset token="runSearch"></unset>
          <unset token="form.input2"></unset>
        </condition>
      </change>
    </input>
    <input depends="$showInput2$" type="dropdown" token="input2" searchWhenChanged="true">
      <label>input2</label>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search depends="$showInput2$">
        <query>| makeresults count=12
| fields - _time
| streamstats count as sno
| eval prev=sno-1
| eval label=strftime(relative_time(now(),"@y+".prev."mon"),"%b")
| eval value="earliest=\"@y+".prev."mon\" latest=\"@y+".prev."mon+1d-1s\""</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition match="isnotnull($value$)">
          <set token="runSearch">$value$</set>          
        </condition>
        <condition>
          <unset token="runSearch"></unset>
        </condition>
      </change>
    </input>
    <input depends="$showInput3$" type="dropdown" token="input3">
      <label>input3</label>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search depends="$showInput3$">
        <query>| makeresults
| fields - _time
| eval label="yesterday",value="earliest=-1d@d latest=-0d@d-1s"</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition match="isnotnull($value$)">
          <set token="runSearch">$value$</set>          
        </condition>
        <condition>
          <unset token="runSearch"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search depends="$runSearch$">
          <query>| makeresults 
| eval inputValue=$runSearch|s$</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to dynamically send the token value to the search based on the multiple inputs?

token

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms