Splunk Search

How to Fill two different queries for a radio button with two values

pench2k19
Explorer

Hi Ninjas,

I have a radio button with two values as STARTING job and RUNNING jobs.

I have different query for each value. I would like to the corresponding value search should get filled it when user select the Status.

Following are the queries:

Starting Jobs Query:
ndex=infra_apps sourcetype=XXXX EventCode=40245 Status=Running AppID=$appid$ Machine=$host$ Job=$job$
| dedup _raw
| lookup datalakenodeslist.csv host as Machine OUTPUT cluster
| search cluster=$clustername$
| timechart count span=2m

Running Jobs Query:
index=infra_apps sourcetype=ca:atsys:edemon:txt EventCode=40245 AND (Status=STARTING OR Status=Running) AppID=$appid$ Machine=$host$ Job=$job$
| dedup _raw
| lookup datalakenodeslist.csv host as Machine OUTPUT cluster
| search cluster=$clustername$
| eval starting=if(Status="STARTING","1","0"),status=if(Status="STARTING","start","stop"), time=_time+status
| bin span=2m _time
| stats max(starting) as starting, earliest(time) as first, latest(time) as last by Job,_time
| xyseries _time Job starting first last
| makecontinuous span=2m _time
| streamstats window=2 global=f earliest(last*) as last*
| reverse
| streamstats window=2 global=f earliest(first*) as first*
| reverse
| foreach starting*
[ eval <>=if(isnull('<>') AND like('first<>',"%start"),"0",if(isnull('<>') AND like('first<>',"%stop"),"1",if(isnull('<>') AND like('last<>',"%start"),"1",if(isnull('<>') AND like('last<>',"%stop"),"0",'<>'))))]
| fields - first*, last*
| filldown *
| reverse
| filldown *
| reverse
| addtotals fieldname=Starting
| fields _time,Starting

PS: the token i am using is Status and the token value is jobstatus

Can you please help @vnravikumar @woodcock @sideview

Tags (1)
0 Karma

woodcock
Esteemed Legend

I do not see a question here. What.pronlem are you having?

0 Karma

vnravikumar
Champion

Hi

Check this, use status token in your query

<form>
  <label>radio</label>
  <fieldset submitButton="false">
    <input type="radio" token="status">
      <label>Job Status</label>
      <choice value="Running">Running</choice>
      <choice value="STARTING">STARTING</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>

        <search>
          <query>index=infra_apps sourcetype=XXXX EventCode=40245 Status=$status$ AppID=$appid$ Machine=$host$ Job=$job$
| dedup _raw
| lookup datalakenodeslist.csv host as Machine OUTPUT cluster
| search cluster=$clustername$
| timechart count span=2m
</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

pench2k19
Explorer

@vnravikumar thanks for the reply.....Its showinf search is waiting for input.
the following is the piece of code i have incorporated in the xml code.

  <label>Select Job status</label>
  <choice value="STARTING">Starting</choice>
  <choice value="RUNNING">Running</choice>
  <default>RUNNING</default>
</input>


 <panel>
   <table>
     <search>
       <query>index=infra_apps sourcetype=ca:atsys:edemon:txt EventCode=40245 Status=$status$ AppID=$appid$ Machine=$host$ Job=$job$

| dedup _raw
| lookup datalakenodeslist.csv host as Machine OUTPUT cluster
| search cluster=$clustername$
| timechart count span=2m

       <earliest>-24h@h</earliest>
       <latest>now</latest>
     </search>
     <option name="drilldown">none</option>
   </table>
 </panel>
0 Karma

vnravikumar
Champion

Have you passed remaining tokens AppID=$appid$ Machine=$host$ Job=$job$ along with status?. I didn't have those token in my above example. Please pass those tokens and try..

0 Karma

pench2k19
Explorer

yes i did, the following is the full XML code for your reference.

Autosys Cluster Autosys Jobs Running and started
This DashBoard gives the list of autosys jobs running or started in each 1CDH cluster at times.

<unset token="earliest"></unset>
<unset token="latest"></unset>


<input type="time" token="field1">
  <label>Select Time range</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="dropdown" token="appid">
  <label>Select the APPID</label>
  <choice value="*">All</choice>
  <fieldForLabel>AppID</fieldForLabel>
  <fieldForValue>AppID</fieldForValue>
  <search>
    <query>|inputlookup appidvscluster.csv |dedup AppID |table AppID</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
</input>
<input type="dropdown" token="clustername">
  <label>Select the Cluster</label>
  <fieldForLabel>Cluster</fieldForLabel>
  <fieldForValue>Cluster</fieldForValue>
  <search>
    <query>|inputlookup appidvscluster.csv  where AppID ="$appid$" |dedup Cluster

|table Cluster
-24h@h
now

All



All

host
host

|inputlookup "datalakenodeslist.csv" where cluster=$clustername$
| dedup "host"
| table host
-24h@h
now




<choice value="">All

*
Job
Job

|inputlookup alljobs.csv
|rex mode=sed field=host "y/\w{5}\d{2}v\d{4}/\w{5}\d{2}a\d{4}/"
| lookup datalakenodeslist.csv host OUTPUT cluster
| search cluster="$clustername$" AND host="$host$"
| dedup Job
| table Job
-24h@h
now




Starting
Running
RUNNING

 <panel>
   <table>
     <search>
       <query>index=infra_apps sourcetype=ca:atsys:edemon:txt EventCode=40245 Status=$status$ AppID=$appid$ Machine=$host$ Job=$job$

| dedup _raw
| lookup datalakenodeslist.csv host as Machine OUTPUT cluster
| search cluster=$clustername$
| timechart count span=2m

       <earliest>-24h@h</earliest>
       <latest>now</latest>
     </search>
     <option name="drilldown">none</option>
   </table>
 </panel>


<panel>
  <title>$jobstatus$ Jobs Trend</title>
  <chart>
    <search id="CDH_Cluster_jobs_trend">
      <query>index=infra_apps sourcetype=ca:atsys:edemon:txt EventCode=40245 AND (Status=Failure OR Status=Terminated OR Status=Running OR Status=Success) AppID=$appid$ Machine=$host$ Job=$job$

| dedup _raw
| lookup datalakenodeslist.csv host as Machine OUTPUT cluster
| search cluster=$clustername$
| eval running=if(Status="RUNNING","1","0"),status=if(Status="RUNNING","start","stop"), time=_time+status
| bin span=2m _time
| stats max(running) as running, earliest(time) as first, latest(time) as last by Job,_time
| xyseries _time Job running first last
| makecontinuous span=2m _time
| streamstats window=2 global=f earliest(last*) as last*
| reverse
| streamstats window=2 global=f earliest(first*) as first*
| reverse
| foreach running*
[ eval <<FIELD>>=if(isnull('<<FIELD>>') AND like('first<<MATCHSTR>>',"%start"),"0",if(isnull('<<FIELD>>') AND like('first<<MATCHSTR>>',"%stop"),"1",if(isnull('<<FIELD>>') AND like('last<<MATCHSTR>>',"%start"),"1",if(isnull('<<FIELD>>') AND like('last<<MATCHSTR>>',"%stop"),"0",'<<FIELD>>'))))]
| fields - first*, last*
| filldown *
| reverse
| filldown *
| reverse
| addtotals fieldname=Running
| fields _time,Running
$field1.earliest$
$field1.latest$

line
all
progressbar

$click.value2$
$click.value$
($click.value$ + 300)
strftime($earliest$, "%m/%d/%Y %I:%M:%S %p")
strftime($latest$, "%m/%d/%Y %I:%M:%S %p")


<panel depends="$jobcount$">
  <title>List of Jobs from $earliest1$ to $latest1$</title>
  <table>
    <search id="CDH_Cluster_jobs_table">
      <query>index=infra_apps sourcetype=ca:atsys:edemon:txt

| search Job=$job$
| rename hostname as host
| eval t1=strftime(_time,"%Y-%m-%d %H:%M:%S")
| eval time_epoch=strptime(t1,"%Y-%m-%d %H:%M:%S")
| fields Job host Autosysjob_time Status _time time_epoch t1
| lookup datalakenodeslist.csv host OUTPUT cluster
| mvexpand cluster
| table Job Status host cluster _time time_epoch
| search cluster=$clustername$ AND host=$host$
| sort + time_epoch
| stats count by _time Job Status host cluster time_epoch
| bin span=2m _time
| makecontinuous span=2m _time
| filldown _time Job Status host cluster count time_epoch
| table _time Job Status host cluster
| search Status=$jobstatus$
| table _time Job host cluster Status
$earliest$
$latest$
10m
delay

10
none
progressbar

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...