Dashboards & Visualizations

Taking a numerical text input for dashboard to narrow down results

AshimaE
Explorer

Hello.
I have achieved result table using sort on a parameter. Here I am directly giving the top 20 highest results.

index=a sourcetype=b host=* earliest=-6h | sort 0 host time| streamstats current=f window=1 values(du) as prevdu by host |where isnotnull(prevdu) |eval useddiff = du - prevdu | eval velo = useddiff/15 | stats avg(velo) by host| table host avg(velo) | rename avg(velo) as velocity | sort -velocity | head 20

Now the task that I want to achieve is that for an text input field I want to read the input as a number and set this as a threshold and only display the top 20 results crossing the threshold only.
I had tried

index=a sourcetype=b host=* earliest=-6h | sort 0 host time | streamstats current=f window=1 values(du) as prevdu by host |where isnotnull(prevdu) |eval useddiff = du - prevdu | eval velo = useddiff/15 | stats avg(velo) by host| table host avg(velo) | rename avg(velo) as velocity | convert num($myinput$) as vthold | where velocity >= vthold |sort -velocity | head 20 

But this is not narrowing down the results. I suspet that is because Splunk is reading it as a text. Any suggestions how I could achieve the same.

Tags (1)
0 Karma
1 Solution

niketn
Legend

@AshimaE, like @yuanliu mentioned, you should be able to use numeric comparison directly from numeric value passed on from the text box. There is not need for convert the same.

Following is a run anywhere search which performs digit validation on textbox (you can write more specific JavaScript Regular Expression as per your needs). The token tokVelThold to be used in search gets set only when all characters entered in Text Box are digits, otherwise the Search Panel remains hidden since the token is not set.

  <fieldset submitButton="false">
    <input type="text" token="selVelThold">
      <label>Add threshold</label>
      <change>
          <eval token="tokVelThold">case(match(value, &quot;^[0-9]+$&quot;), $value$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokVelThold: $tokVelThold$</title>
      <table depends="$tokVelThold$">
        <search>
          <query>| makeresults
| eval velocity=1000
| eval vthold=$tokVelThold$
| where velocity &gt;= vthold 
| sort -velocity
| head 20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

Alternatively you can also pass all values from the Text Box to the token and default the the value to 0 in case it is not number through

| eval velThold=$selVelThold$ 
| eval velThold=case(isnum(velThold),velThold,true(),0)
| where velocity &gt;= vthold 
| sort -velocity
| head 20
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@AshimaE, like @yuanliu mentioned, you should be able to use numeric comparison directly from numeric value passed on from the text box. There is not need for convert the same.

Following is a run anywhere search which performs digit validation on textbox (you can write more specific JavaScript Regular Expression as per your needs). The token tokVelThold to be used in search gets set only when all characters entered in Text Box are digits, otherwise the Search Panel remains hidden since the token is not set.

  <fieldset submitButton="false">
    <input type="text" token="selVelThold">
      <label>Add threshold</label>
      <change>
          <eval token="tokVelThold">case(match(value, &quot;^[0-9]+$&quot;), $value$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokVelThold: $tokVelThold$</title>
      <table depends="$tokVelThold$">
        <search>
          <query>| makeresults
| eval velocity=1000
| eval vthold=$tokVelThold$
| where velocity &gt;= vthold 
| sort -velocity
| head 20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

Alternatively you can also pass all values from the Text Box to the token and default the the value to 0 in case it is not number through

| eval velThold=$selVelThold$ 
| eval velThold=case(isnum(velThold),velThold,true(),0)
| where velocity &gt;= vthold 
| sort -velocity
| head 20
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

AshimaE
Explorer

The alternative worked well for the case. Thanks a lot.

0 Karma

niketn
Legend

Hi @AshimaE, I have converted my comment to Answer, please Accept if it helped. In the Regular Expression you can handle decimal as well (if you want to perform floating number validation).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If values in $myinput$ can be interpreted as numbers, it will be used as a number. Have you tried'| where velocity >=$myinput$ instead? There should be no convert needed.

0 Karma

AshimaE
Explorer

Yes I did try that. No narrowing down was there.. Also I need to consider decimal point numbers as my input as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...