Customize Search using input from Dashboard

SplunkNinja85 · ‎09-02-2020

I want to customise the search using input passed in the dashboard.

The field in the logs have value CLASS="/x/y/z/abc/query/v1 Need quick Response"

The input value passed from Dashboard is x-y-z-abc-query-v1.

We want to search the logs using input parameter in the field CLASS containing value /x/y/z/abc/query/v1.

as the input parameter value format is x-y-z-abc-query-v1 and the value to search is /x/y/z/abc/query/v1, how should the query look like to give result.

Query at the end should look like index= yyy CLASS="/x/y/z/abc/query/v1*" but how to tackle input parameter looks like /x/y/z/abc/query/v1 and search in the Class Field value.

Please assist.

renjith_nair · ‎09-02-2020

You may create a token from the input and pass it in the search.

Please find below a run anywhere example. However, if you are defining input, why don't you set the value as "x/y/z/.." ? Is it a dynamic input?

<form>
  <label>Search Input</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="token_name">
      <label>Query</label>
      <choice value="x-y-z-abc-query-v1">Query1</choice>
      <choice value="a-b-c-xyz-query-v2">Query2</choice>
      <change>
        <eval token="query">replace(value,"-","/")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults |eval string="/$query$ Need quick Response"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Happy Splunking!

Customize Search using input from Dashboard

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life