Dashboards & Visualizations

Dynamic Search Query

rarangarajanspl
Explorer

I am new to Splunk. Please help me out with this.
My dashboard is having 5 text fields and allows the users to key in data.
1. I want to make all of the text fields are optional.
2. I need to construct the search query based on the user input. i.e. dynamically construct the search query filter based on user input
Ex 1: with 3 text fields input from user, i need to generate the query with three filters.
Ex 2: with no inputs from user, it should be generic search with out filters

0 Karma
1 Solution

manjunathmeti
Champion

You can set text input token to "*" when there is no user input , Try this. Example contains three inputs you can extend same to five inputs.

<form>
  <label>Test</label>
  <fieldset submitButton="true">
    <input type="text" token="field1">
      <label>Text Input - Sourcetype</label>
      <change>
        <condition value="">
          <set token="field1">*</set>
        </condition>
      </change>
    </input>
    <input type="text" token="field2">
      <label>Text Input - Source</label>
      <change>
        <condition value="">
          <set token="field2">*</set>
        </condition>
      </change>
    </input>
    <input type="text" token="field3">
      <label>Text Input - Host</label>
      <change>
        <condition value="">
          <set token="field3">*</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Query built: index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</title>
        <search>
          <query>index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

0 Karma

manjunathmeti
Champion

You can set text input token to "*" when there is no user input , Try this. Example contains three inputs you can extend same to five inputs.

<form>
  <label>Test</label>
  <fieldset submitButton="true">
    <input type="text" token="field1">
      <label>Text Input - Sourcetype</label>
      <change>
        <condition value="">
          <set token="field1">*</set>
        </condition>
      </change>
    </input>
    <input type="text" token="field2">
      <label>Text Input - Source</label>
      <change>
        <condition value="">
          <set token="field2">*</set>
        </condition>
      </change>
    </input>
    <input type="text" token="field3">
      <label>Text Input - Host</label>
      <change>
        <condition value="">
          <set token="field3">*</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Query built: index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</title>
        <search>
          <query>index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

rarangarajanspl
Explorer

HI Manjunath - Thank You Very Much.I use a submit button. Please find the code and help
1. As soon as i open the dash board, it's allowing to submit with all the fields only.I can submit by giving input to all the fileds. When i try to submit with 2 or 3 fileds, it's not allowing to submit.
2. When i try second time by deleting (backspace) a value in the field, it's getting auto submitted (once i click tab to move next filed). But, i can submit manually (i am not supposed to use tab)
3.I am currently working on input parameters only.Ignore the output params in the code.
4. Tried with Searchwhenchanged="False". No luck.
DemoDashBoard1

<input type="radio" token="test">
  <label>SearchBy</label>
  <choice value="1">Input</choice>
  <choice value="2">Output</choice>
  <change>
    <condition value="1">
      <set token="tkninput">true</set>
      <unset token="tknoutput"></unset>
    </condition>
    <condition value="2">
      <set token="tknoutput">true</set>
      <unset token="tkninput"></unset>
    </condition>
  </change>
</input>
<input type="text" token="input1" depends="$tkninput$">
  <label>Eventtype</label>
  <change>
     <condition value="">
       <set token="input1">*</set>
     </condition>
   </change>
</input>
<input type="text" token="input2" depends="$tkninput$">
  <label>TORID</label>
  <change>
     <condition value="">
       <set token="input2">*</set>
     </condition>
   </change>
</input>
<input type="text" token="input3" depends="$tkninput$">
  <label>SEC010Id</label>
  <change>
     <condition value="">
       <set token="input3">*</set>
     </condition>
   </change>
</input>
<input type="text" token="input4" depends="$tkninput$">
  <label>BUL010OrigId</label>
  <change>
     <condition value="">
       <set token="input4">*</set>
     </condition>
   </change>
</input>
<input type="text" token="input5" depends="$tkninput$">
  <label>BUL010DestinationId</label>
  <change>
     <condition value="">
       <set token="input5">*</set>
     </condition>
   </change>
</input>
<input type="text" token="input6" depends="$tkninput$">
  <label>SequencingNr</label>
  <change>
     <condition value="">
       <set token="input6">*</set>
     </condition>
   </change>
</input>
<input type="text" token="output1" depends="$tknoutput$">
  <label>businessEventTrigger</label>
</input>
<input type="text" token="output2" depends="$tknoutput$">
  <label>rocsTourId</label>
</input>
<input type="text" token="output3" depends="$tknoutput$">
  <label>rocsMovementId</label>
</input>
<input type="text" token="output4" depends="$tknoutput$">
  <label>rocsOriginId</label>
</input>
<input type="text" token="output5" depends="$tknoutput$">
  <label>rocsDestinationId</label>
</input>
<input type="text" token="output6" depends="$tknoutput$">
  <label>tripLegSeqNbr</label>
</input>



<panel depends="$tkninput$">
  <title>Input Panel</title>
  <table>
    <search>
      <query>
     index="demodashboard1" sourcetype="DemoDashBoard1" |  xmlkv maxinputs=10000 | rename "nspJ:TOR010Id" as TORID "nspMMM:EventType" as EventType | search ns0:ProcessId (EventType = $input1$ OR businessEventTrigger) AND (TORID = $input2$ OR rocsTourId) AND (nspM:SEC010Id = $input3$ OR rocsMovementId) AND (nsSec:BUL010OrigId = $input4$ OR rocsOriginId) AND (nsSec:BUL010DestinationId = $input5$ OR rocsDestinationId) AND (nspM:SequencingNr = $input6$ OR tripLegSeqNbr) | table  ns0:ProcessId EventType TORID nspM:SEC010Id nsSec:BUL010DestinationId nspM:SequencingNr businessEventTrigger rocsTourId rocsMovementId rocsDestinationId  tripLegSeqNbr  publishCd routeNm firstLegSchedDprtTmstp firstLegOrigin tripLegSeqNbr origin destination schedDprtTmstp            

-15m
now

20
none
none
false
false
false
true

  <title>Output Panel</title>
  <table>
    <search>
      <query>
 host="WTC-981558-L1" sourcetype=Mar16 source="TNTTRUCK_R2T - Copy.2020-03-05" |  xmlkv maxinputs=10000 | rename "nspJ:TOR010Id" as TORID "nspMMM:EventType" as EventType|search ns0:ProcessId (EventType OR businessEventTrigger= $output1$) OR (TORID OR rocsTourId= $output2$) OR(nspM:SEC010Id OR rocsMovementId = $output3$) OR (nsSec:BUL010OrigId OR rocsOriginId = $output4$) OR (nsSec:BUL010DestinationId OR rocsDestinationId= $output5$) OR (nspM:SequencingNr OR tripLegSeqNbr= $output6$) |table  ns0:ProcessId EventType TORID nspM:SEC010Id nsSec:BUL010DestinationId nspM:SequencingNr businessEventTrigger rocsTourId rocsMovementId rocsDestinationId  tripLegSeqNbr  publishCd routeNm firstLegSchedDprtTmstp firstLegOrigin tripLegSeqNbr origin destination schedDprtTmstp estDprtTmstp  actlDprtTmstp  schedArivTmstp estArivTmstp  actlArivTmstp  tripLegStatusCd scacCd routeType adhocFlg 

| selfjoin ns0:ProcessId

    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>

  </table>
</panel>
0 Karma

manjunathmeti
Champion

This is happening as autoRun is set to "true" in fieldset element. Set autoRun to false and submitButton to "true".

<fieldset submitButton="true" autoRun="false">
<input type="radio" token="test">
....
0 Karma

to4kawa
Ultra Champion

I see. now ,
what's your query?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...