Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can you get a conditional execution of a query in a panel based on a value in a DropDown Box?

HenryFitzerald
New Member
‎11-21-2018 05:02 AM

Hi could anyone please help.

I have two drop down boxes that execute two queries based on two values chosen in two drop down boxes:

$service_family_tok$ and  $enter_feature_tok

These values are used in the query below in a lookup and search.

  index=_internal  sourcetype=FilmWork 
                | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_microservice_map  
                | search feature=$enter_feature_tok$

Example $service_family_tok$ =EDH and $enter_feature_tok$=STMT

  index=_internal  sourcetype=FilmWork 
          | lookup fd_edh_stmt_microservice_map  
          | search feature=STMT

I have a new option in the drop down "ALL" and "ALL".

This only executes the first part of the query: "index=_internal sourcetype=FilmWork. But for all results, it does no lookup or search feature as it's not required.

Could anyone assist me in the logic so when a user chooses ALL and ALL, the lookup and search part of the query is NOT executed.

In shell script you could append the lookup/search text based on testing a value in $service_family_tok$ and $enter_feature_tok & both not equal to ALL.

Like, but I don't know how to do this in Splunk.

eval ALLToken=if(cidrmatch("ALL",$service_family_tok$)
  if(ALLToken )
    index=_internal sourcetype=FilmWork
   else query 
    <query> index=_internal  sourcetype=FilmWork
    | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_microservice_map 
    | search feature=$enter_feature_tok$

The code does not show properly when I paste here please request and I can send . Thanks

0 Karma
Reply

HenryFitzerald
New Member
‎11-24-2018 12:32 AM

Chart time span

 <earliest>-24h@h</earliest>
 <latest>now</latest>

Choose Service Family:
ALL
GNM
HWB
ED
PS
ALL
ALL

 <condition value="ALL">
   <set token="feature_values">ALL</set>
     <set token="All"></set>
     <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="EDH">
   <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="GMN">
   <set token="feature_values">CCA,CIA,REG</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="HWB">
   <set token="feature_values">PLA</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="PS">
   <set token="feature_values">ALL</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>

Choose Feature:
feature
feature

 <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
 <earliest>-1s@s</earliest>
 <latest>now</latest>


 <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
 <eval token="l_enter_feature_tok">lower($value$)</eval>













 <title>BookWorks events</title>
 <search rejects="$All$">
   <query>
    index=_internal  sourcetype=BookWork 
   | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
   | search fd_feature=$enter_feature_tok$ 
  </query>
   <earliest>$master_time_span.earliest$</earliest>
   <latest>$master_time_span.latest$</latest>
 </search>
    <search depends="$All$">
    <query>
      index=_internal  sourcetype=BookWork 
    </search>
 <option name="charting.chart">column</option>
 <option name="charting.drilldown">none</option>





 <title>BookWorks events</title>
 <search>
   <query> index=_internal  sourcetype=FilmWork 
   | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
   | search fd_feature=$enter_feature_tok$ | 
  </query>
   <earliest>$master_time_span.earliest$</earliest>
   <latest>$master_time_span.latest$</latest>
 </search>
 <option name="list.drilldown">none</option>
0 Karma
Reply

Vijeta
Influencer
‎11-21-2018 08:14 AM

You can write 2 searches inside the panel with depends and rejects. First set a token when condition is All and unset it at all other conditions for example

<condition value="ALL">
       <!--set token="feature_values">$value$</set-->
       <set token="feature_values">ALL</set>
         <!--set token="feature_values">*</set-->
       <set token="All"></set>
         <unset token="form.enter_feature_tok"></unset>
     </condition>

Unset this token for all other conditions, then in your search panel create 2 searches with rejects and depends based on token All as below

<search rejects="$All$">
       <query> index=_internal  sourcetype=FilmWork 
       | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
       | search fd_feature=$enter_feature_tok$ | 
      </query>
       <earliest>$master_time_span.earliest$</earliest>
       <latest>$master_time_span.latest$</latest>
     </search>
<search depends="$All$">
       <query> index=_internal  sourcetype=FilmWork 
            </query>
       <earliest>$master_time_span.earliest$</earliest>
       <latest>$master_time_span.latest$</latest>
     </search>
0 Karma
Reply

HenryFitzerald
New Member
‎11-21-2018 12:29 PM

Thanks Vijeta will try this solution.

0 Karma
Reply

HenryFitzerald
New Member
‎11-24-2018 12:31 AM

Hi Vijeta ,
Could I please check with you regarding an issue I am currently
having whenevr "I try to add a second search/query in the same panel and chart". I set the token "All" but whenever I try to place the second ""
in the panel I obtain
Warning on line 76: Expected at most 1 children of base-search in chart, instead saw 2
Warning on line 83: Node is not allowed here

I had to comment out chart but it changes the whole panel & cannot drill down so I am unable to add
a second query.
<!--chart-->
<!--option name="charting.chart">column

<!--option name="charting.drilldown">none

0 Karma
Reply

HenryFitzerald
New Member
‎11-24-2018 12:31 AM

I had to comment out chart but it changes the whole panel & cannot drill down so I am unable to add
a second query.
<!--chart-->
<!--option name="charting.chart">column
<!--option name="charting.drilldown">none

0 Karma
Reply

HenryFitzerald
New Member
‎11-21-2018 05:03 AM

EVENTS-ALL
Shows

<input type="time" token="master_time_span">
  <label>Chart time span</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="dropdown" token="service_family_tok" searchWhenChanged="true">
  <label>Choose Service Family:</label>
  <choice value="ALL">ALL</choice>
  <choice value="GMN">GNM</choice>
  <choice value="HWB">HWB</choice>
  <choice value="ED">ED</choice>
  <choice value="PS">PS</choice>
  <default>ALL</default>
  <initialValue>ALL</initialValue>
  <change>
      <!--condition value="ALL"-->
      <!--set token="feature_values">MANACCS,INBOX,STMT,ACTS,CCA,CIA,REG,PLA</set-->
      <!--unset token="form.enter_feature_tok"></unset-->
    <!--/condition-->
    <condition value="ALL">
      <!--set token="feature_values">$value$</set-->
      <set token="feature_values">ALL</set>
        <!--set token="feature_values">*</set-->
        <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="EDH">
      <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="GMN">
      <set token="feature_values">CCA,CIA,REG</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="HWB">
      <set token="feature_values">PLA</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="PS">
      <set token="feature_values">ALL</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
  </change>
</input>
<input type="dropdown" token="enter_feature_tok">
  <label>Choose Feature:</label>
  <fieldForLabel>feature</fieldForLabel>
  <fieldForValue>feature</fieldForValue>
  <search>
    <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
    <earliest>-1s@s</earliest>
    <latest>now</latest>
  </search>
  <change>
    <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
    <eval token="l_enter_feature_tok">lower($value$)</eval>
  </change>
</input>


<panel>
  <title></title>
  <html>
  </html>
</panel>


<panel>
  <title>BookWorks</title>
  <chart>
    <title>BookWorks events</title>
    <search>
      <query>
       index=_internal  sourcetype=BookWork 
      | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
      | search fd_feature=$enter_feature_tok$ 
     </query>
      <earliest>$master_time_span.earliest$</earliest>
      <latest>$master_time_span.latest$</latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.drilldown">none</option>
  </chart>
</panel>
<panel>
  <title>BookWorks</title>
  <event>
    <title>BookWorks events</title>
    <search>
      <query> index=_internal  sourcetype=FilmWork 
      | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
      | search fd_feature=$enter_feature_tok$ | 
     </query>
      <earliest>$master_time_span.earliest$</earliest>
      <latest>$master_time_span.latest$</latest>
    </search>
    <option name="list.drilldown">none</option>
  </event>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...