Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set two tokens off one dropdown in dashboard?

fairje
Communicator
‎06-25-2018 08:47 AM

New fun dashboarding issue. I'm trying to set two different tokens off one dropdown. Is this possible?
I have a dropdown input with a token called $application$. I have one dashboard that summarizes things by IP Address and the drilldown for that is set based on a condition. If you click on the Total at the bottom of the table it will set one thing, otherwise it goes for the $click.value$. This drives a second dashboard that uses a kvstore lookup which is prefiltered using a rather clever (I thought anyway) subsearch to set the where clause. This subsearch uses $application$ in it's function narrow the list of IP Addresses it is initially looking at. I'm trying to make it so if I change the dropdown pointing to $application$ I can get it to update the search and rerun it.

So this looks something like this right now:

<init>
  <set token="ip">([subsearch stuff | where application="$application$" | return 1000 IP_Address])</set>
</init>
<input type="dropdown" token="application" searchWhenChanged="true">
</input>
<table>
  <title>Search 1 - By IP address</title>
  <search>some search here | where application=$application$ | stats count by IP_Address 
          | addcoltotals labelfield="IP_Address"</search>
  <drilldown>
    <condition match="match('click.value', &quot;Total&quot;)">
      <set token="ip">([subsearch stuff | where application="$application$" | return 1000 IP_Address])</set>
    </condition>
    <condition>
      <set token="ip">$click.value$</set>
      <eval token="ip">"IP_Address="+$ip$</eval>
    </condition>
  </drilldown>
</table>
<table>
  <title>Search 2 - Details</title>
  <search>| inputlookup kvstorelookup where $ip$ | do some stuff</search>
</table>

So as of right now, as long as I don't change application, I can get Search 1 to affect Search 2 to my hearts content. It will happily switch the value back and forth between IP_Address=someip and the subsearch ([subsearch stuff | where application="$application$" | return 1000 IP_Address]) but when I change the value of $application$ I have to reclick "Total" in Search 1 in order to update the value of $application$ in search two. Effectively what I would like to do is when you change the value of $application$ have it overwrite the value of $ip$ back to the subsearch value with the new application defined.

Oh, the reason I am using the where clause at all on the kvstore is without this the search will take 3x as long (45 seconds instead of 15 seconds). And then once I overwrite the value of $ip$ to just a single IP it will reduce that further down to a ~3 second search. This greatly enhances user experience, if I can just get the last piece to work.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-25-2018 09:43 AM

@fairje seems like you are missing the code for dropdown input application. However, to answer your question, on change of the dropdown value you can set multiple tokens using <change> event handler. The code would look something like the following:

 <input type="dropdown" token="application" searchWhenChanged="true">
 ...
 ...
         <change>
               <set token="ip">([subsearch stuff | where application="$value$" | return 1000 IP_Address])</set>
         </change>
 </input>

PS: Predefined tokens $value$ and $label$ inside the <change> event handlers are used to access selected value and label respective in the dropdown. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Event_handler_element

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-25-2018 09:43 AM

@fairje seems like you are missing the code for dropdown input application. However, to answer your question, on change of the dropdown value you can set multiple tokens using <change> event handler. The code would look something like the following:

 <input type="dropdown" token="application" searchWhenChanged="true">
 ...
 ...
         <change>
               <set token="ip">([subsearch stuff | where application="$value$" | return 1000 IP_Address])</set>
         </change>
 </input>

PS: Predefined tokens $value$ and $label$ inside the <change> event handlers are used to access selected value and label respective in the dropdown. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Event_handler_element

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

fairje
Communicator
‎06-25-2018 01:00 PM

Ah, I somehow totally overlooked this section of the documentation when I was scratching my head over how to do it. This is exactly what I was looking for!

Yeah, I had left off the excess code since I was trying not to flood the question with a giant wall of text and keep things simpler to understand what I was seeking.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-25-2018 09:38 AM

Okay, when designing complex interactions, you need to make sure that you avoid what is called a "race" condition - where A changes B, which changes A again.

Second, if your token $application$ isn't going to be manipulated by the dropdown, then it doesn't need to be an input... it can just be a naked token. If it is going to be manipulated by the dropdown, then the dropdown should have a source query.

We're going to assume that the source query is there, but you've deleted it to simplify the presentation of your question. If that's the case, you just need a <change> condition on the application dropdown to reset your subsearch.

<fieldset>
  <input type="dropdown" token="application" searchWhenChanged="true">
    <query>your search that populates dropdown</query>
    <fieldForLabel></fieldForLabel>
    <fieldForValue></fieldForValue>
    <change>
      <set token="ip">([subsearch stuff | where application="$value$" | return 1000 IP_Address])</set>
    </change>
  </input>
</fieldset>

updated $application$ to $value$ as per best practices suggestion from @niketnilay

Reply
Solved! Jump to solution

niketn
Legend
‎06-25-2018 09:46 AM

@DalJeanis just noticed your answer after posting mine... it should be $value$ inside the <change> event handler.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

fairje
Communicator
‎06-25-2018 01:03 PM

Thanks for the answer, looks like using the token name $application$ also does work, but I assume $value$ is the better way to go.

But yes, I just left off data to keep it easier to read what I was actually asking for. My dashboard has a lot more going on than just these elements, but this was ultimately asking the question in the simplest format possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...