Dashboards & Visualizations

Conditional dashboards

attgjh1
Communicator

Is there a way to trigger different displays depending on certain conditions?

for example:
if the count for this particular event exceeds 50. i wont want to have a list view. instead, a line chart would be better to show and track the behaviour trends or (event storm) within that hour.. while if its less that 50, perhaps a list is enough to observe if the anomalies.

It doesnt seem possible but i would still like to throw this question out to more splunk savvy folks.

Thanks!

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

Sure. Here are two ways. Both require using the advanced XML.

1) Using just the core UI modules , you can use a prototype module called "ConditionalSwitcher". Make the first search return not a field called 'count' whose value is greater than or less than 50, but a number of result rows that is greater or less than 50. Downstream from that search put a JobProgressIndicator and the ConditionalSwitcher.

Then set the 'condition' param on the ConditionalSwitcher to "job.getResultCount()>50".
What ConditionalSwitcher does, is if the condition evaluates to true, it shows the first sub-branch, and if not it shows the second sub-branch.

Therefore, under the ConditionalSwitcher we'll have exactly two sub-branches of modules. In the first branch you put your second-stage search and your flashchart. Then underneath the second subbranch you put your Paginator and SimpleResultsTable to render your list view.

2) In Sideview Utils 2.0, you have a little more flexibility. You can use the ResultsValueSetter and Switcher modules.

You would have a Search module set up the initial search, whose "count" field we want to check.

Then either in the main search, or in a postProcess, I would create another field called "exceeds50" or something, whose value (true/false) is set by a conditional eval statement that checks the count for whether it's greater than 50.

Then ResultsValueSetter module is used to pull the 'exceeds50' field from splunkd's search results, down to the UI and available to the downstream modules as a dollar token (to be precise, as $exceeds50$).

Then downstream from the ResultsValueSetter you have your Switcher module, with it's "selectedGroup" param set to "$exceeds50$".

Then much like with ConditionalSwitcher, you'd have two child branches underneath the Switcher module one with group="true" and one with group="false".

In the group="true" branch, you'd have your Search, FlashChart, etc... Whereas in the group="false" branch, you'd have your list view.

The overall effect of this will be that when the Switcher module sees $exceeds50$ with a value of 'true', it shows the first branch, and when $exceeds50$ is false it shows the other one. The overall advantages of Switcher over ConditionalSwitcher don't really come to light in this somewhat simple use case, but there are several.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Sure. Here are two ways. Both require using the advanced XML.

1) Using just the core UI modules , you can use a prototype module called "ConditionalSwitcher". Make the first search return not a field called 'count' whose value is greater than or less than 50, but a number of result rows that is greater or less than 50. Downstream from that search put a JobProgressIndicator and the ConditionalSwitcher.

Then set the 'condition' param on the ConditionalSwitcher to "job.getResultCount()>50".
What ConditionalSwitcher does, is if the condition evaluates to true, it shows the first sub-branch, and if not it shows the second sub-branch.

Therefore, under the ConditionalSwitcher we'll have exactly two sub-branches of modules. In the first branch you put your second-stage search and your flashchart. Then underneath the second subbranch you put your Paginator and SimpleResultsTable to render your list view.

2) In Sideview Utils 2.0, you have a little more flexibility. You can use the ResultsValueSetter and Switcher modules.

You would have a Search module set up the initial search, whose "count" field we want to check.

Then either in the main search, or in a postProcess, I would create another field called "exceeds50" or something, whose value (true/false) is set by a conditional eval statement that checks the count for whether it's greater than 50.

Then ResultsValueSetter module is used to pull the 'exceeds50' field from splunkd's search results, down to the UI and available to the downstream modules as a dollar token (to be precise, as $exceeds50$).

Then downstream from the ResultsValueSetter you have your Switcher module, with it's "selectedGroup" param set to "$exceeds50$".

Then much like with ConditionalSwitcher, you'd have two child branches underneath the Switcher module one with group="true" and one with group="false".

In the group="true" branch, you'd have your Search, FlashChart, etc... Whereas in the group="false" branch, you'd have your list view.

The overall effect of this will be that when the Switcher module sees $exceeds50$ with a value of 'true', it shows the first branch, and when $exceeds50$ is false it shows the other one. The overall advantages of Switcher over ConditionalSwitcher don't really come to light in this somewhat simple use case, but there are several.

sideview
SplunkTrust
SplunkTrust

No, there isn't an example in Sideview Utils yet. I can add one though. If you look at the ResultsValueSetter docs and at the Switcher docs, then re-read the above you can probably figure it out. But I will try and add an example to Sideview Utils.

0 Karma

royimad
Builder

Is their any example of using the option 2) using sideview, i actually have the same issue where i need to run 2 different search on the same panel based on the host selected from a drop down list, the reason why i need this conditional switching is that one of my search is saved search and i need to set it up as default when the page load. How can i do that technically?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...