Solved: Re: Is it possible to use tokens to alternate the ...

marvinlee93 · ‎12-05-2018

Hi all,

I would like to flip time charts/tables in the same Dashboard using tokens without manual refresh. (Eg, Change timechart every 5 seconds)

I am interested to know if it is possible to ALTERNATE the display of different TIMECHARTS/TABLES in the same dashboard in Real-Time.
So then, I could display different information at different time intervals using the SAME dashboard and amount of SPACE.

I was thinking of making use of tokens. With a smarter use of tokens, we could set a timer and conditions such that a different 'set of timecharts' would appear at different time intervals? Is that doable?

renjith_nair · ‎12-06-2018

@marvinlee93 ,

Have a look at the following example and see if it suits your requirement. Its a run anywhere example

Here I switch between two panels based on time (Seconds). If the second(sec) is greater than 30, a table is displayed , otherwise a pie chart. The dashboard is refreshed in every 10 secs

<dashboard refresh="10">
  <label>Time Dependent Dashboards</label>
  <row>
    <panel depends="$IamSupposedToBeHiddenAlways$">
      <table>
        <!-- This is a dummy search to extract time (seconds in this case) -->
        <search>
          <query>|makeresults|eval sec=strftime(_time,"%S")</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
          <done>
             <!--set the tokens based on the value of sec -->
            <condition match="$result.sec$ > 30">
              <set token="show_table">true</set>
              <set token="current_sec">$result.sec$</set>
              <unset token="show_pie"></unset>
            </condition>
            <condition>
              <set token="show_pie">true</set>
              <unset token="show_table"></unset>
              <set token="current_sec">$result.sec$</set>              
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_table$">
      <title>Second is  = $current_sec$</title>
      <table>
        <search>
          <query>|makeresults count=5|eval data="Table displays dummy data if the second is greater than 30"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_pie$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎12-06-2018

@marvinlee93 ,

Have a look at the following example and see if it suits your requirement. Its a run anywhere example

Here I switch between two panels based on time (Seconds). If the second(sec) is greater than 30, a table is displayed , otherwise a pie chart. The dashboard is refreshed in every 10 secs

<dashboard refresh="10">
  <label>Time Dependent Dashboards</label>
  <row>
    <panel depends="$IamSupposedToBeHiddenAlways$">
      <table>
        <!-- This is a dummy search to extract time (seconds in this case) -->
        <search>
          <query>|makeresults|eval sec=strftime(_time,"%S")</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
          <done>
             <!--set the tokens based on the value of sec -->
            <condition match="$result.sec$ > 30">
              <set token="show_table">true</set>
              <set token="current_sec">$result.sec$</set>
              <unset token="show_pie"></unset>
            </condition>
            <condition>
              <set token="show_pie">true</set>
              <unset token="show_table"></unset>
              <set token="current_sec">$result.sec$</set>              
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_table$">
      <title>Second is  = $current_sec$</title>
      <table>
        <search>
          <query>|makeresults count=5|eval data="Table displays dummy data if the second is greater than 30"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_pie$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>

---
What goes around comes around. If it helps, hit it with Karma 🙂

marvinlee93 · ‎12-06-2018

Hi, I have 3 charts. Let's say i want to display all 3 at the intervals of 20seconds.

              <!--set the tokens based on the value of sec -->
             <condition match="$result.sec$ > 20">
               <set token="Dataset1">true</set>
               <set token="current_sec">$result.sec$</set>
               <unset token="Dataset2"></unset>
               <unset token="Dataset3"></unset>
             </condition>
             <condition match="$result.sec$ > 40">
               <set token="Dataset2">true</set>
               <unset token="Dataset1"></unset>
               <unset token="Dataset3"></unset>
               <set token="current_sec">$result.sec$</set>   
             <condition>
               <set token="Dataset3">true</set>
               <unset token="Dataset1"></unset>
               <unset token="Dataset2"></unset>
               <set token="current_sec">$result.sec$</set>

This is my code. But it is giving me an error.

Also, I'm new to this. What's the difference between and ?

Let's say I wanna do it at a intervals of 1min for each chart. How would you change the timer?

renjith_nair · ‎12-07-2018

@marvinlee93 ,

ok, try this. Just copy paste this to a new dashboard and see if it works. I have set the dashboard refresh in every 20 minutes so that each refresh displays different panel.

<dashboard refresh="20">
  <label>Time Dependent Dashboards</label>
  <row>
    <panel depends="$IamSupposedToBeHiddenAlways$">
      <table>
        <search>
          <query>|makeresults|eval sec=strftime(_time,"%S")</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
          <done>
            <!--set the tokens based on the value of sec -->
            <condition match="$result.sec$ &lt; 20">
              <set token="Dataset1">true</set>
              <set token="current_sec">$result.sec$</set>
              <unset token="Dataset2"></unset>
              <unset token="Dataset3"></unset>
            </condition>
            <condition match="$result.sec$ >= 20 AND $result.sec$ &lt; 40">
              <set token="Dataset2">true</set>
              <unset token="Dataset1"></unset>
              <unset token="Dataset3"></unset>
              <set token="current_sec">$result.sec$</set>
            </condition>
            <condition match="$result.sec$ >= 40">
              <set token="Dataset3">true</set>
              <unset token="Dataset1"></unset>
              <unset token="Dataset2"></unset>
              <set token="current_sec">$result.sec$</set>
            </condition>            
          </done>
        </search>
        <!-- This is a dummy search to extract time (seconds in this case) -->
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$Dataset1$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|timechart count by sourcetype</query>
          <earliest>-1m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel depends="$Dataset2$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel  depends="$Dataset3$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|chart count over index by sourcetype</query>
          <earliest>-1m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>

---
What goes around comes around. If it helps, hit it with Karma 🙂

Is it possible to use tokens to alternate the display of different timecharts/tables, in the same dashboard, in real-time?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...