I am new to Splunk. Please help me out with this.
My dashboard is having 5 text fields and allows the users to key in data.
1. I want to make all of the text fields are optional.
2. I need to construct the search query based on the user input. i.e. dynamically construct the search query filter based on user input
Ex 1: with 3 text fields input from user, i need to generate the query with three filters.
Ex 2: with no inputs from user, it should be generic search with out filters
You can set text input token to "*" when there is no user input , Try this. Example contains three inputs you can extend same to five inputs.
<form>
<label>Test</label>
<fieldset submitButton="true">
<input type="text" token="field1">
<label>Text Input - Sourcetype</label>
<change>
<condition value="">
<set token="field1">*</set>
</condition>
</change>
</input>
<input type="text" token="field2">
<label>Text Input - Source</label>
<change>
<condition value="">
<set token="field2">*</set>
</condition>
</change>
</input>
<input type="text" token="field3">
<label>Text Input - Host</label>
<change>
<condition value="">
<set token="field3">*</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Query built: index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</title>
<search>
<query>index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
You can set text input token to "*" when there is no user input , Try this. Example contains three inputs you can extend same to five inputs.
<form>
<label>Test</label>
<fieldset submitButton="true">
<input type="text" token="field1">
<label>Text Input - Sourcetype</label>
<change>
<condition value="">
<set token="field1">*</set>
</condition>
</change>
</input>
<input type="text" token="field2">
<label>Text Input - Source</label>
<change>
<condition value="">
<set token="field2">*</set>
</condition>
</change>
</input>
<input type="text" token="field3">
<label>Text Input - Host</label>
<change>
<condition value="">
<set token="field3">*</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Query built: index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</title>
<search>
<query>index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
HI Manjunath - Thank You Very Much.I use a submit button. Please find the code and help
1. As soon as i open the dash board, it's allowing to submit with all the fields only.I can submit by giving input to all the fileds. When i try to submit with 2 or 3 fileds, it's not allowing to submit.
2. When i try second time by deleting (backspace) a value in the field, it's getting auto submitted (once i click tab to move next filed). But, i can submit manually (i am not supposed to use tab)
3.I am currently working on input parameters only.Ignore the output params in the code.
4. Tried with Searchwhenchanged="False". No luck.
DemoDashBoard1
<input type="radio" token="test">
<label>SearchBy</label>
<choice value="1">Input</choice>
<choice value="2">Output</choice>
<change>
<condition value="1">
<set token="tkninput">true</set>
<unset token="tknoutput"></unset>
</condition>
<condition value="2">
<set token="tknoutput">true</set>
<unset token="tkninput"></unset>
</condition>
</change>
</input>
<input type="text" token="input1" depends="$tkninput$">
<label>Eventtype</label>
<change>
<condition value="">
<set token="input1">*</set>
</condition>
</change>
</input>
<input type="text" token="input2" depends="$tkninput$">
<label>TORID</label>
<change>
<condition value="">
<set token="input2">*</set>
</condition>
</change>
</input>
<input type="text" token="input3" depends="$tkninput$">
<label>SEC010Id</label>
<change>
<condition value="">
<set token="input3">*</set>
</condition>
</change>
</input>
<input type="text" token="input4" depends="$tkninput$">
<label>BUL010OrigId</label>
<change>
<condition value="">
<set token="input4">*</set>
</condition>
</change>
</input>
<input type="text" token="input5" depends="$tkninput$">
<label>BUL010DestinationId</label>
<change>
<condition value="">
<set token="input5">*</set>
</condition>
</change>
</input>
<input type="text" token="input6" depends="$tkninput$">
<label>SequencingNr</label>
<change>
<condition value="">
<set token="input6">*</set>
</condition>
</change>
</input>
<input type="text" token="output1" depends="$tknoutput$">
<label>businessEventTrigger</label>
</input>
<input type="text" token="output2" depends="$tknoutput$">
<label>rocsTourId</label>
</input>
<input type="text" token="output3" depends="$tknoutput$">
<label>rocsMovementId</label>
</input>
<input type="text" token="output4" depends="$tknoutput$">
<label>rocsOriginId</label>
</input>
<input type="text" token="output5" depends="$tknoutput$">
<label>rocsDestinationId</label>
</input>
<input type="text" token="output6" depends="$tknoutput$">
<label>tripLegSeqNbr</label>
</input>
<panel depends="$tkninput$">
<title>Input Panel</title>
<table>
<search>
<query>
index="demodashboard1" sourcetype="DemoDashBoard1" | xmlkv maxinputs=10000 | rename "nspJ:TOR010Id" as TORID "nspMMM:EventType" as EventType | search ns0:ProcessId (EventType = $input1$ OR businessEventTrigger) AND (TORID = $input2$ OR rocsTourId) AND (nspM:SEC010Id = $input3$ OR rocsMovementId) AND (nsSec:BUL010OrigId = $input4$ OR rocsOriginId) AND (nsSec:BUL010DestinationId = $input5$ OR rocsDestinationId) AND (nspM:SequencingNr = $input6$ OR tripLegSeqNbr) | table ns0:ProcessId EventType TORID nspM:SEC010Id nsSec:BUL010DestinationId nspM:SequencingNr businessEventTrigger rocsTourId rocsMovementId rocsDestinationId tripLegSeqNbr publishCd routeNm firstLegSchedDprtTmstp firstLegOrigin tripLegSeqNbr origin destination schedDprtTmstp
-15m
20
none
none
false
false
false
true
<title>Output Panel</title>
<table>
<search>
<query>
host="WTC-981558-L1" sourcetype=Mar16 source="TNTTRUCK_R2T - Copy.2020-03-05" | xmlkv maxinputs=10000 | rename "nspJ:TOR010Id" as TORID "nspMMM:EventType" as EventType|search ns0:ProcessId (EventType OR businessEventTrigger= $output1$) OR (TORID OR rocsTourId= $output2$) OR(nspM:SEC010Id OR rocsMovementId = $output3$) OR (nsSec:BUL010OrigId OR rocsOriginId = $output4$) OR (nsSec:BUL010DestinationId OR rocsDestinationId= $output5$) OR (nspM:SequencingNr OR tripLegSeqNbr= $output6$) |table ns0:ProcessId EventType TORID nspM:SEC010Id nsSec:BUL010DestinationId nspM:SequencingNr businessEventTrigger rocsTourId rocsMovementId rocsDestinationId tripLegSeqNbr publishCd routeNm firstLegSchedDprtTmstp firstLegOrigin tripLegSeqNbr origin destination schedDprtTmstp estDprtTmstp actlDprtTmstp schedArivTmstp estArivTmstp actlArivTmstp tripLegStatusCd scacCd routeType adhocFlg
| selfjoin ns0:ProcessId
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
This is happening as autoRun is set to "true" in fieldset element. Set autoRun to false and submitButton to "true".
<fieldset submitButton="true" autoRun="false">
<input type="radio" token="test">
....
I see. now ,
what's your query?