Dashboards & Visualizations

How to select dashboard panel query based on dropdown input selection

adamblock2
Path Finder

I have a dashboard which contains 2 inputs. I have 2 separate queries which would run based on the results of the first input.

< fieldset submitButton="true" autoRun="false">
< input type="dropdown" token="i_criteria">
< label>Search Criteria< /label>
< choice value="message_id">Message ID< /choice>
< choice value="from">Sender< /choice>
< choice value="sender_domain">Sender Domain< /choice>
< choice value="x_mailer">X-mailer< /choice>
< /input >
< input type="text" token="s_value" searchWhenChanged="false">
< label>Search Value< /label>
< /input>

If the user selects Message ID, Sender, or Sender Domain, the first query should run. If the user selects X-mailer, the second query should run.

My first query begins with < query>index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter *$i_criteria$!=x_mailer** $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host].......................< /query>*

The second query begins with < query>index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details **x_mailer=$s_value|s$* | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host]..................< /query>*

Assistance with this will be greatly appreciated.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@adamblock2 - Just so you know, there is special markup language on this site so certain symbols will transform your post. If you wrap a word in < or >, without wrapping it in a code sample, it will transform your post. If you wish to show the < > (i.e. you are displaying sample code), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @adamblock2,
You can use change and condition elements to set up conditional handling of different input values. You can also use a token to represent the query that should run in either case. Depending on the user selection, set that query token to one or the other search strings in your condition elements.

See http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Define_tokens_for_conditional_operation...

and

http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Conditional_operations_with_form_inputs

You can also check out the dashboards examples app for more info:
https://splunkbase.splunk.com/app/1603/

Hope this helps!

0 Karma

adamblock2
Path Finder

I think that I might be missing something.

My dashboard contains

  • A text input which populates the token "s_value"
  • A dropdown which populates the token "i_criteria"
  • A dropdown which populates the token "d_status"

I updated my i_criteria dropdown to include the following:

< change>
        < condition value="x_mailer">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | search delivery_status=$d_status$ | table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="message_id">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="from">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="sender_domain">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < /change>

I then replaced my query statement with < query>$s_query$< /query>

The query does not run. I receive a message "Search Factory: Unknown search command 's'." In addition, the submit button no longer functions.

Any ideas?

Thank you.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hm. I'll see if I can replicate the issue in my instance. It might have to do with escaping characters or formatting the search string. I'll report back.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

I tried setting up a similar example with test code.

What worked:
a dropdown whose selection is used (as a token) to conditionally set a query string in a panel.

What didn't work:
Combining tokenized selection or input values from a text box and a dropdown in the query. I don't think they are "aware" of input events on each other, so the query is not getting populated with tokenized values from both the dropdown and the text box.

I'll tinker a bit more with my own source code to see if there's something I can suggest.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...