Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can you get a conditional execution of a query in a panel based on a value in a DropDown Box?

HenryFitzerald
New Member
‎11-21-2018 05:02 AM

Hi could anyone please help.

I have two drop down boxes that execute two queries based on two values chosen in two drop down boxes:

$service_family_tok$ and  $enter_feature_tok

These values are used in the query below in a lookup and search.

  index=_internal  sourcetype=FilmWork 
                | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_microservice_map  
                | search feature=$enter_feature_tok$

Example $service_family_tok$ =EDH and $enter_feature_tok$=STMT

  index=_internal  sourcetype=FilmWork 
          | lookup fd_edh_stmt_microservice_map  
          | search feature=STMT

I have a new option in the drop down "ALL" and "ALL".

This only executes the first part of the query: "index=_internal sourcetype=FilmWork. But for all results, it does no lookup or search feature as it's not required.

Could anyone assist me in the logic so when a user chooses ALL and ALL, the lookup and search part of the query is NOT executed.

In shell script you could append the lookup/search text based on testing a value in $service_family_tok$ and $enter_feature_tok & both not equal to ALL.

Like, but I don't know how to do this in Splunk.

eval ALLToken=if(cidrmatch("ALL",$service_family_tok$)
  if(ALLToken )
    index=_internal sourcetype=FilmWork
   else query 
    <query> index=_internal  sourcetype=FilmWork
    | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_microservice_map 
    | search feature=$enter_feature_tok$

The code does not show properly when I paste here please request and I can send . Thanks

0 Karma
Reply

HenryFitzerald
New Member
‎11-24-2018 12:32 AM

Chart time span

 <earliest>-24h@h</earliest>
 <latest>now</latest>

Choose Service Family:
ALL
GNM
HWB
ED
PS
ALL
ALL

 <condition value="ALL">
   <set token="feature_values">ALL</set>
     <set token="All"></set>
     <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="EDH">
   <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="GMN">
   <set token="feature_values">CCA,CIA,REG</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="HWB">
   <set token="feature_values">PLA</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="PS">
   <set token="feature_values">ALL</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>

Choose Feature:
feature
feature

 <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
 <earliest>-1s@s</earliest>
 <latest>now</latest>


 <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
 <eval token="l_enter_feature_tok">lower($value$)</eval>













 <title>BookWorks events</title>
 <search rejects="$All$">
   <query>
    index=_internal  sourcetype=BookWork 
   | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
   | search fd_feature=$enter_feature_tok$ 
  </query>
   <earliest>$master_time_span.earliest$</earliest>
   <latest>$master_time_span.latest$</latest>
 </search>
    <search depends="$All$">
    <query>
      index=_internal  sourcetype=BookWork 
    </search>
 <option name="charting.chart">column</option>
 <option name="charting.drilldown">none</option>





 <title>BookWorks events</title>
 <search>
   <query> index=_internal  sourcetype=FilmWork 
   | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
   | search fd_feature=$enter_feature_tok$ | 
  </query>
   <earliest>$master_time_span.earliest$</earliest>
   <latest>$master_time_span.latest$</latest>
 </search>
 <option name="list.drilldown">none</option>
0 Karma
Reply

Vijeta
Influencer
‎11-21-2018 08:14 AM

You can write 2 searches inside the panel with depends and rejects. First set a token when condition is All and unset it at all other conditions for example

<condition value="ALL">
       <!--set token="feature_values">$value$</set-->
       <set token="feature_values">ALL</set>
         <!--set token="feature_values">*</set-->
       <set token="All"></set>
         <unset token="form.enter_feature_tok"></unset>
     </condition>

Unset this token for all other conditions, then in your search panel create 2 searches with rejects and depends based on token All as below

<search rejects="$All$">
       <query> index=_internal  sourcetype=FilmWork 
       | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
       | search fd_feature=$enter_feature_tok$ | 
      </query>
       <earliest>$master_time_span.earliest$</earliest>
       <latest>$master_time_span.latest$</latest>
     </search>
<search depends="$All$">
       <query> index=_internal  sourcetype=FilmWork 
            </query>
       <earliest>$master_time_span.earliest$</earliest>
       <latest>$master_time_span.latest$</latest>
     </search>
0 Karma
Reply

HenryFitzerald
New Member
‎11-21-2018 12:29 PM

Thanks Vijeta will try this solution.

0 Karma
Reply

HenryFitzerald
New Member
‎11-24-2018 12:31 AM

Hi Vijeta ,
Could I please check with you regarding an issue I am currently
having whenevr "I try to add a second search/query in the same panel and chart". I set the token "All" but whenever I try to place the second ""
in the panel I obtain
Warning on line 76: Expected at most 1 children of base-search in chart, instead saw 2
Warning on line 83: Node is not allowed here

I had to comment out chart but it changes the whole panel & cannot drill down so I am unable to add
a second query.
<!--chart-->
<!--option name="charting.chart">column

<!--option name="charting.drilldown">none

0 Karma
Reply

HenryFitzerald
New Member
‎11-24-2018 12:31 AM

I had to comment out chart but it changes the whole panel & cannot drill down so I am unable to add
a second query.
<!--chart-->
<!--option name="charting.chart">column
<!--option name="charting.drilldown">none

0 Karma
Reply

HenryFitzerald
New Member
‎11-21-2018 05:03 AM

EVENTS-ALL
Shows

<input type="time" token="master_time_span">
  <label>Chart time span</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="dropdown" token="service_family_tok" searchWhenChanged="true">
  <label>Choose Service Family:</label>
  <choice value="ALL">ALL</choice>
  <choice value="GMN">GNM</choice>
  <choice value="HWB">HWB</choice>
  <choice value="ED">ED</choice>
  <choice value="PS">PS</choice>
  <default>ALL</default>
  <initialValue>ALL</initialValue>
  <change>
      <!--condition value="ALL"-->
      <!--set token="feature_values">MANACCS,INBOX,STMT,ACTS,CCA,CIA,REG,PLA</set-->
      <!--unset token="form.enter_feature_tok"></unset-->
    <!--/condition-->
    <condition value="ALL">
      <!--set token="feature_values">$value$</set-->
      <set token="feature_values">ALL</set>
        <!--set token="feature_values">*</set-->
        <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="EDH">
      <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="GMN">
      <set token="feature_values">CCA,CIA,REG</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="HWB">
      <set token="feature_values">PLA</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="PS">
      <set token="feature_values">ALL</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
  </change>
</input>
<input type="dropdown" token="enter_feature_tok">
  <label>Choose Feature:</label>
  <fieldForLabel>feature</fieldForLabel>
  <fieldForValue>feature</fieldForValue>
  <search>
    <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
    <earliest>-1s@s</earliest>
    <latest>now</latest>
  </search>
  <change>
    <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
    <eval token="l_enter_feature_tok">lower($value$)</eval>
  </change>
</input>


<panel>
  <title></title>
  <html>
  </html>
</panel>


<panel>
  <title>BookWorks</title>
  <chart>
    <title>BookWorks events</title>
    <search>
      <query>
       index=_internal  sourcetype=BookWork 
      | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
      | search fd_feature=$enter_feature_tok$ 
     </query>
      <earliest>$master_time_span.earliest$</earliest>
      <latest>$master_time_span.latest$</latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.drilldown">none</option>
  </chart>
</panel>
<panel>
  <title>BookWorks</title>
  <event>
    <title>BookWorks events</title>
    <search>
      <query> index=_internal  sourcetype=FilmWork 
      | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
      | search fd_feature=$enter_feature_tok$ | 
     </query>
      <earliest>$master_time_span.earliest$</earliest>
      <latest>$master_time_span.latest$</latest>
    </search>
    <option name="list.drilldown">none</option>
  </event>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...