Dashboards & Visualizations

How to create dynamic commands in search?

lakromani
Builder

I would like to change the commands within a dashboard.

I have a dropdown box like this:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
</input>

Then I would like the timechart to reflect whats selected in dropdown box.

<query>source="snmp://Cisco-Wifi-clients"
            | eval info=case(
                radio=="Dot11Radio0"
                    ,"avg(low) AS 2.4GHz"
                ,radio=="Dot11Radio1"
                    ,"avg(high) AS 5.0Ghz"
                ,1==1,"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
            | timechart $info$</query>

But this does not work.

Anyone have another way to get this to work?

Here is the base idea:
This work:

index=_internal user=* | timechart count by user limit=10

This does not.

index=_internal user=* | eval test="count by user limit=10" | timechart $test$
0 Karma
1 Solution

niketn
Legend

@lakromani... Shift the logic of your dynamic timechart aggregation from search to your input radio selection's change event. Try the following:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
  <change>
    <condition value="Dot11Radio0">
      <set token="aggrQuery">avg(low) AS 2.4GHz</set>
    </condition>
    <condition value="Dot11Radio1">
      <set token="aggrQuery">avg(high) AS 5.0Ghz</set>
    </condition>
    <condition>
      <set token="aggrQuery">avg(high) AS 5.0Ghz avg(low) AS 2.4GHz</set>
    </condition>
  </change>
</input>

Use $aggrQuery$ token later in your search next to timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

briancronrath
Contributor

What if you just made the choice value be what you eval to in your query and pass that as a token?

<input type="radio" token="radio" searchWhenChanged="true">
   <label>Radio</label>
   <choice value="*">All</choice>
   <choice value="avg(low) AS 2.4GHz">2.4 GHz</choice>
   <choice value="avg(high) AS 5.0Ghz">5.0 Ghz</choice>
   <default>*</default>
 </input>

<query>source="snmp://Cisco-Wifi-clients"
             | timechart $radio$</query>
0 Karma

lakromani
Builder

Problem is that I use $radio$ other places in my config, and it's value can not be changed.

0 Karma

niketn
Legend

@lakromani... Shift the logic of your dynamic timechart aggregation from search to your input radio selection's change event. Try the following:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
  <change>
    <condition value="Dot11Radio0">
      <set token="aggrQuery">avg(low) AS 2.4GHz</set>
    </condition>
    <condition value="Dot11Radio1">
      <set token="aggrQuery">avg(high) AS 5.0Ghz</set>
    </condition>
    <condition>
      <set token="aggrQuery">avg(high) AS 5.0Ghz avg(low) AS 2.4GHz</set>
    </condition>
  </change>
</input>

Use $aggrQuery$ token later in your search next to timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lakromani
Builder

Perfect. This did what I was looking for. Since the $radio$ was used elsewhere in the script I could not change it.

But I still do not understand why I can not set the $aggrQuery$ within the panel section of the Dashboard. This could be added by the Splunk guys 🙂

0 Karma

niketn
Legend

Splunk has a map command where you can recursively execute SPL for selected field. (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map). I have used makeresults but you can use timechart instead.

  <fieldset>
   <input type="radio" token="radio" searchWhenChanged="true">
   <label>Radio</label>
   <choice value="*">All</choice>
   <choice value="Dot11Radio0">2.4 GHz</choice>
   <choice value="Dot11Radio1">5.0 Ghz</choice>
   <default>*</default>
 </input>
 </fieldset>

  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval aggrQuery=case("$radio$"=="Dot11Radio0","avg(low) AS 2.4GHz","$radio$"=="Dot11Radio1","avg(high) AS 5.0Ghz",true(),"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
| map search="| makeresults | eval UseMappedresult=\"$aggrQuery$\""</query>
          <sampleRatio>1</sampleRatio>
        </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rcarinha
New Member

Hi lakromani.

You probably need this:

index=_internal user=* | timechart count by user limit=10 | search radio= \"$radio$\" 
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...