I am attempting to set a value using a token but it's only recognizing the 2nd option. This is the part that seems to be broken.
1) <label>Method</label>
2) <choice value="text">Title</choice>
3) <choice value="moretext">Another Title</choice>
4) <change>
5) <condition label="Title">
6) <set token="timeout">"5"</set>
7) </condition>
😎 <condition label="Another Title">
9) <set token="timeout">"120"</set>
10) </condition>
11) </change>
12) <query>index=$ENVPicker$ sourcetype=$sourcetype$ | transaction UID | chart count by duration span=$timeout$</query>
13) <earliest>$TRPicker.earliest$</earliest>
14) <latest>$TRPicker.latest$</latest>
15) </search>
All tokens are working except for $timeout$. It's only populating with 120 instead of any other value no matter which condition is met. I've tried using different settings such as:
What am I missing?
[Updated Answer]
Based on the complete dashboard code you are using checkbox
input but you should have used a dropdown
instead as at a time based on the selected PortalMethod
you can only one value of timeout
to be passed.
<input type="dropdown" token="PortalMethod" searchWhenChanged="true">
<label>Method</label>
<choice value="text">Title</choice>
<choice value="moretext">Another Title</choice>
<change>
<condition label="Title">
<set token="timeout">"5s"</set>
</condition>
<condition label="Another Title">
<set token="timeout">"120s"</set>
</condition>
</change>
<default>text</default>
</input>
Just FYI check box input does not support multiple values to be coded through <change> event handler
. You would need a JavaScript workaround to code the desired output of change event handler yourself.
Refer to the question for behavior issue with the <change>
event handler for check box with multiple values : https://answers.splunk.com/answers/506563/how-can-i-show-and-hide-panels-based-on-a-checkbox.html
@sheloaha, I think your Splunk input is fine however, while consuming the token you should have the same under double quotes or else only the string before space will be used as the field value.
From your example it is not clear whether you are setting $ENVPicker$ or $sourcetype$ however, as best-practice it is better to have them in double quotes as they are text values. Try the following as your main search:
index="$ENVPicker$" sourcetype="$sourcetype$"
Also for your use case consider switching to stats
instead of transaction
index="$ENVPicker$" sourcetype="$sourcetype$" UID="*"
| stats count as eventcount earliest(_time) as _time latest(_time) as end_time by UID
| search eventcount>1
| eval duration=end_time-_time
| chart span="$timeout$" count by duration
[Updated Answer]
Based on the complete dashboard code you are using checkbox
input but you should have used a dropdown
instead as at a time based on the selected PortalMethod
you can only one value of timeout
to be passed.
<input type="dropdown" token="PortalMethod" searchWhenChanged="true">
<label>Method</label>
<choice value="text">Title</choice>
<choice value="moretext">Another Title</choice>
<change>
<condition label="Title">
<set token="timeout">"5s"</set>
</condition>
<condition label="Another Title">
<set token="timeout">"120s"</set>
</condition>
</change>
<default>text</default>
</input>
Just FYI check box input does not support multiple values to be coded through <change> event handler
. You would need a JavaScript workaround to code the desired output of change event handler yourself.
Refer to the question for behavior issue with the <change>
event handler for check box with multiple values : https://answers.splunk.com/answers/506563/how-can-i-show-and-hide-panels-based-on-a-checkbox.html
@sheloaha, I think your Splunk input is fine however, while consuming the token you should have the same under double quotes or else only the string before space will be used as the field value.
From your example it is not clear whether you are setting $ENVPicker$ or $sourcetype$ however, as best-practice it is better to have them in double quotes as they are text values. Try the following as your main search:
index="$ENVPicker$" sourcetype="$sourcetype$"
Also for your use case consider switching to stats
instead of transaction
index="$ENVPicker$" sourcetype="$sourcetype$" UID="*"
| stats count as eventcount earliest(_time) as _time latest(_time) as end_time by UID
| search eventcount>1
| eval duration=end_time-_time
| chart span="$timeout$" count by duration
This may be because your changes in the input are not being detected by Splunk.
The code is missing some parts, any chance you could get them in the question?
Here's the beginning of the dashboard and the snipped panel.
TEST
<input type="time" token="TRPicker" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="radio" token="ENVPicker" searchWhenChanged="true">
<label>Environment</label>
<choice value="index">Index_A</choice>
<choice value="diff_index">Index_B</choice>
<change>
<condition label="Index_A">
<set token="sourcetype">"test"</set>
</condition>
<condition label="Index_B">
<set token="sourcetype">"more_test"</set>
</condition>
</change>
<default>test</default>
</input>
<input type="checkbox" token="PortalMethod" searchWhenChanged="true">
<label>Method</label>
<choice value="text">Title</choice>
<choice value="moretext">Another Title</choice>
<change>
<condition label="Title">
<set token="timeout">"5"</set>
</condition>
<condition label="Another Title">
<set token="timeout">"120"</set>
</condition>
</change>
<delimiter> </delimiter>
</input>
<row>
<panel>
<title>Web Request Durations</title>
<chart>
<search>
<query>index=$ENVPicker$ sourcetype=$sourcetype$ source=*test* OR source=*whatever* | transaction UID | chart count by duration span=$timeout$</query>
<earliest>$TRPicker.earliest$</earliest>
<latest>$TRPicker.latest$</latest>
</search>
<option name="charting.chart">pie</option>
</chart>
</panel>