Solved: ExtendedFieldSearch, intentions, and radio buttons

cphair · ‎08-30-2012

Is it possible to use ExtendedFieldSearch with a radio button rather than a text field? I want to toggle my dashboard between searching all hours and only searching business hours (date_hour >8 AND date_hour <18). I think I need a stringreplace, given the complexity of the substituted text, but I want to have a radio button (or a dropdown) to toggle between those choices, rather than making the user type this into a freeform text box. If it is possible, what is the syntax?

Sorry if this is covered somewhere, but the intention documentation is rather spotty and I couldn't find a similar example in ui_examples.

sideview · ‎08-30-2012

You can use the StaticRadio module, along with a ConvertToIntention module below that. Use the ConvertToIntention just like you'd use it with StaticSelect. Of course you could use the StaticSelect module as well.

Another option is to use Sideview Utils, which gives you a Checkbox module, and that might be the best option here. You don't have to use intentions so that makes it a lot simpler, and the Checkbox module is dead easy to use. All in all it's probably considerably less than half of the XML you'd need for StaticRadio + ConvertToIntention + HiddenSearch.

<module name="Checkbox">
  <param name="name">onlySearchBusinessHours</param>
  <param name="label">Only search during business hours</param>
  <param name="onValue">date_hour&gt;8 date_hour&lt;18</param>

  <module name="Search">
    <param name="search">foo bar $onlySearchBusinessHours$ | top host</param>

View solution in original post

sideview · ‎08-30-2012

You can use the StaticRadio module, along with a ConvertToIntention module below that. Use the ConvertToIntention just like you'd use it with StaticSelect. Of course you could use the StaticSelect module as well.

Another option is to use Sideview Utils, which gives you a Checkbox module, and that might be the best option here. You don't have to use intentions so that makes it a lot simpler, and the Checkbox module is dead easy to use. All in all it's probably considerably less than half of the XML you'd need for StaticRadio + ConvertToIntention + HiddenSearch.

<module name="Checkbox">
  <param name="name">onlySearchBusinessHours</param>
  <param name="label">Only search during business hours</param>
  <param name="onValue">date_hour&gt;8 date_hour&lt;18</param>

  <module name="Search">
    <param name="search">foo bar $onlySearchBusinessHours$ | top host</param>

cphair · ‎08-31-2012

Unfortunately Sideview isn't an option for this particular dashboard. I was having trouble just trying to deduce the proper Advanced XML syntax for intentions from the scattered examples--to further confuse matters, the radio was nested under an existing ExtendedFieldSearch, which doesn't use ConvertToIntention, so I was confused where everything was supposed to go. Maybe I'll post a separate what-I-learned. Anyway, the staticradio-converttointention sequence worked (eventually). Thanks.

sideview · ‎08-31-2012

I updated my example to escape the > and < characters. Sorry if you tried to use it and the view didn't load. Also I removed the AND and parentheses because consecutive search terms are automatically AND'ed in splunk.

ExtendedFieldSearch, intentions, and radio buttons

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes