All Apps and Add-ons

Create Search String With Sideview Utils using TextField & Drop Down?

jpass
Contributor

I am wondering if this is possible:

In a dashboard I would like users to be able to generate the search string by using a drop down & a text box. First they choose the field they want to search from a drop down. Second, they input a value into the textfield. Next they click the submit button and it sends the search to a variable. Next they can either 'search' or continue building the search string by choosing from the drop down again and inputting another term which is then tacked onto the existing term.

Example:
-DROPDOWN-
IP
DOMAIN
FILENAME

  1. user choose IP
  2. user inputs an ip and clicks button
  3. a string is generated: ip="192.168.2.1"
  4. next user chooses DOMAIN from the same drop down
  5. they input 'google.com' into the same textfield and click submit
  6. the search string now becomes ip="192.168.2.1" OR domain="google.com"
  7. they can either continue to build the search string or click another button to search
  8. I suppose I need a button to clear it as well if they want to start fresh

I'm using SideView Utils 2.2.7 & just starting to learn to use the sideview editor which is really easy but very new to me. I'm used to editing advanced xml directly. I'd like to achieve this with no CustomBehaviors if possible. If someone could describe the modules needed and basic 'get me started' tips it would be very much appreciated.

sideview
SplunkTrust
SplunkTrust

I don't think that there's any way to do it with no CustomBehavior at all.

There is however a way to do it with some pretty simple CustomBehavior, by using the Filters module to do the heavy-lifting. In fact Sideview Utils already has a sample interface showing this and more.

The Filters module has been around for a while but it is a pretty advanced module and to be honest I've held off on documenting it visibly. You can read it's module conf and get a decent idea of what it does, and you can go to "sample interfaces > Explore" to see a great working example of it in action.

Here's a slightly simplified version of the config in the explore view:

<module name="Filters">
  <param name="name">filters</param>

  <module name="Search" layoutPanel="mainSearchControls">
    <param name="search"><![CDATA[
      BASESEARCH | reporting commands to get result rows that are each fields, with the name in a field called "field".
    ]]></param>

    <module name="Pulldown">
      <param name="name">field</param>
      <param name="valueField">field</param>

      <param name="staticOptions">
        <list><param name="label">Add new filter ...</param><param name="value"></param></list>
      </param>
      <param name="customBehavior">hideDownstreamModulesUntilFieldSelected</param>

      <module name="Pulldown">
        <param name="name">operator</param>
        <param name="staticOptions">
          <list><param name="value">=</param></list>
          <list><param name="value">&gt;</param></list>
          <list><param name="value">&lt;</param></list>
          <list><param name="value">!=</param></list>
        </param>

        <module name="Search" group="list">
          <param name="search"><![CDATA[
            BASESEARCH $filters$ | head 1000 | stats count by $field$ | fields - count | sort $field$ | rename $field$ as value
          ]]></param>

          <module name="Pulldown">
            <param name="name">value</param>
            <param name="valueField">value</param>
            <param name="staticOptions">
              <list><param name="value"></param><param name="label">enter value manually...</param></list>
            </param>

            <module name="TextField">
              <param name="name">value</param>
              <param name="customBehavior">activeOnlyIfManualEntrySelected</param>

              <module name="Button">
                <param name="label">+</param>
                <param name="allowSoftSubmit">False</param>
                <param name="allowAutoSubmit">False</param>
                <module name="CustomBehavior">
                  <param name="customBehavior">addNewFilterToFilterBar</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
  <!-- modules present here will have the benefit of $filters$ to roll up 
  all of the currently active filters from the Filters module.-->
</module>

The Filters module basically implements a little interactive breadcrumb but there's no hierarchy or order implicit in that breadcrumb. It's basically just a little container to hold search filters that the user has selected. However the controls to actually add and remove fields and values from that filterbar is delegated to downstream code. And today there's no way to do it without a little customBehavior.

This example goes a little further than what you're asking for, in that it takes all the values for the field "X" and puts them into a Pulldown too. Leaving an "enter manually" option for cases where you just have to type it in.

There's a total of 3 customBehavior's here, and you'll have to look into the application.js file of Sideview Utils itself to see the implementation thereof. You can also go into the "Explore" view itself as I mentioned, although there's a couple other layers of coolness and/or complexity going on in Explore that I've kind of factored out for you in the XML above.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...