Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to have query/panel with conditional alternative queries/panels?

yshen
Communicator
‎01-28-2022 09:05 AM
As follows
if <condition-based-on-token-value> then query_1 else query_2where query_1 and query_2 may be a series of statements producing different sets of data.
 
Given a search query can be embedded in a panel, it might achieve the equivalent results, if there were a way to have conditional panel selection:
if <condition-based-on-token-value> then panel_with_query_1 else panel_with_query_2
(The above idea is inspired by @mmccul)
but I don't know if it's possible to have such panel selection mechanism with Simple XML of Splunk?Or alternatively, if I could control the visibility of a panel based token value, then I might also achieve the panel selection mechanism:
  • define two panels with visibility control by the token value
  • the controls are mutually exclusive, so that only one panel will be shown
I'd appreciate some pointers or examples. (edited) 
 
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2022 10:36 AM

You should be able to use the depends option on a panel to control whether it is visible or not.  The depends option says the panel is visible if the specified token is defined.  Using conditions to set an un-set tokens will show/hide the panels.

<panel depends="someToken">
  <search>
    ...
  </search>
</panel>
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

yshen
Communicator
‎01-28-2022 01:23 PM

Thanks for the solution!

Here is a minimum working example:

<form>
<label>Select between Current and Forecast Weather</label>
<fieldset submitButton="false">
<input type="radio" id="forecast" token="forecastToken" searchWhenChanged="true">
<label></label>
<choice value="0">Current</choice>
<choice value="1">Forecast</choice>
<default>0</default>
<change>
<condition value="0">
<set token="showCurrent">1</set>
<unset token="showForecast"></unset>
</condition>
<condition value="1">
<set token="showForecast">1</set>
<unset token="showCurrent"></unset>
</condition>
</change>
<initialValue>0</initialValue>
</input>
</fieldset>
<row>
<panel depends="$showCurrent$">
<single>
<title>Weather</title>
<search depends="$showCurrent$">
<query>| makeresults
| eval weather="Current"</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel depends="$showForecast$">
<single>
<title>Weather</title>
<search depends="$showForecast$">
<query>| makeresults
| eval weather="Forecast"</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
</form>

 
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2022 10:36 AM

You should be able to use the depends option on a panel to control whether it is visible or not.  The depends option says the panel is visible if the specified token is defined.  Using conditions to set an un-set tokens will show/hide the panels.

<panel depends="someToken">
  <search>
    ...
  </search>
</panel>
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

eholz1
Contributor
‎10-18-2022 09:44 AM

Hello and I need some help on simple xml and dashboards

I have a token "hide_panel"

I have two panels - one gets an "Off" (panel1) result in the search, the other panel (panel2) gets an "On" result in the search.

I want to show the "On" panel when the dashboard opens, and if a search is run on panel1 - that has ";Off" in the result, hide panel2.

I am not understanding the tags: <progress> I do have a sample that works using a dropdown - but have yet

to understand how to set and unset the token so panel2 shows first, and then hides

My code is like this:

<search>
<query>sourcetype=linux_secure user=* eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off"</query>
<earliest>-35m@m</earliest>
<latest>now</latest>
<progress>
<condition match="'job.UserAction' == Off">
<!-- unset token="hide_panel"></unset -->
</condition>
<condition match="'job.UserAction' == Off">
<set token="hide_panel">false</set >
</condition>

</progress>

<sampleRatio>1</sampleRatio>
</search>

 

Any suggestions will help,

thanks,

eholz1

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2022 10:34 AM

Based on the code you shared, you probably want the <done> tag.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

eholz1
Contributor
‎10-18-2022 10:42 AM

Hello richgalloway,

Thanks are not enough for the help provided by this forum and your replies, I will try the "done" tag.

thanks again,

eholz1

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...