topic Re: Dynamic input value for tables in Dashboards & Visualizations

Dynamic input value for tables

jonydupre — Thu, 12 Dec 2019 12:27:07 GMT

Hi all,

I currently have a table showing all used commands from a specific machine. Search is something like this:

source="/var/log/log"  | stats count by comm | table comm, count | sort by count desc | head 10

This shows the top 10 used commands. Now I would like to search for specific commands using an Input field and submit button.
I would imagine the search would be something like this:

source="/var/log/audit/audit.log" comm="*$Token_Name$*" | stats count by comm | table comm, count | sort by count desc | head 10

But I don't understand how I can use the input field to alter the existing table.. How should the input field be configured and how do I make the existing table use the input? Or does the input field create a table with given value?

I hope my question is clear..
Thanks!

Re: Dynamic input value for tables

vnravikumar — Thu, 12 Dec 2019 12:33:15 GMT

Try like

<form>
  <label>textfield</label>
  <fieldset submitButton="false">
    <input type="text" token="field1">
      <label>field1</label>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal" $field1$ | stats count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Re: Dynamic input value for tables

jonydupre — Thu, 12 Dec 2019 12:42:11 GMT

Thanks, should I replace the text in <query> </query> with my second query in the opening post?

Re: Dynamic input value for tables

vnravikumar — Thu, 12 Dec 2019 12:46:07 GMT

yes, $field1$ is similar to your comm

Re: Dynamic input value for tables

jonydupre — Thu, 12 Dec 2019 12:49:31 GMT

So in my situation like this:

<input type="text" token="field1">
      <label>field1</label>
       <default></default>
       <prefix>sourcetype="</prefix>
       <suffix>"</suffix>
       <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Gebruikte commando's</title>
      <chart>
        <search>
          <query>source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>

Can you explain the prefix, suffix en initialValue? What are their functions?

Re: Dynamic input value for tables

vnravikumar — Thu, 12 Dec 2019 12:53:04 GMT

Check this

<form>
  <fieldset>
    <input type="text" token="field1">
      <label>field1</label>
      <default></default>
      <prefix>comm="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Gebruikte commando's</title>
      <chart>
        <search>
          <query>source="/var/log/log" $field1$ | stats count by comm | table comm, count | sort by count desc | head 10</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </chart>
    </panel>
  </row>
</form>

Re: Dynamic input value for tables

vnravikumar — Thu, 12 Dec 2019 12:53:53 GMT

instead of giving in query like comm=$field1$ i'm building that in token itself

Re: Dynamic input value for tables

jonydupre — Thu, 12 Dec 2019 13:00:22 GMT

Thanks, but why use prefix/suffix? I could just put $field1$ in the search after comm=" right?

Like this:
source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10

And not use prefix/suffix in the input field, or is this not possible?

Re: Dynamic input value for tables

vnravikumar — Thu, 12 Dec 2019 13:01:40 GMT

yes you can do.

Re: Dynamic input value for tables

jonydupre — Thu, 12 Dec 2019 14:33:44 GMT

Ok thanks, it works now. But why would you use the suffix/preffix? Or is it a habit to use like that?