Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Dynamic Search Query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rarangarajanspl
Explorer
03-30-2020
09:46 AM
I am new to Splunk. Please help me out with this.
My dashboard is having 5 text fields and allows the users to key in data.
1. I want to make all of the text fields are optional.
2. I need to construct the search query based on the user input. i.e. dynamically construct the search query filter based on user input
Ex 1: with 3 text fields input from user, i need to generate the query with three filters.
Ex 2: with no inputs from user, it should be generic search with out filters
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-30-2020
10:43 AM
You can set text input token to "*" when there is no user input , Try this. Example contains three inputs you can extend same to five inputs.
<form>
<label>Test</label>
<fieldset submitButton="true">
<input type="text" token="field1">
<label>Text Input - Sourcetype</label>
<change>
<condition value="">
<set token="field1">*</set>
</condition>
</change>
</input>
<input type="text" token="field2">
<label>Text Input - Source</label>
<change>
<condition value="">
<set token="field2">*</set>
</condition>
</change>
</input>
<input type="text" token="field3">
<label>Text Input - Host</label>
<change>
<condition value="">
<set token="field3">*</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Query built: index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</title>
<search>
<query>index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-30-2020
10:43 AM
You can set text input token to "*" when there is no user input , Try this. Example contains three inputs you can extend same to five inputs.
<form>
<label>Test</label>
<fieldset submitButton="true">
<input type="text" token="field1">
<label>Text Input - Sourcetype</label>
<change>
<condition value="">
<set token="field1">*</set>
</condition>
</change>
</input>
<input type="text" token="field2">
<label>Text Input - Source</label>
<change>
<condition value="">
<set token="field2">*</set>
</condition>
</change>
</input>
<input type="text" token="field3">
<label>Text Input - Host</label>
<change>
<condition value="">
<set token="field3">*</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Query built: index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</title>
<search>
<query>index=_internal earliest=-15m sourcetype=$field1$ source=$field2$ host=$field3$ | stats count by sourcetype, source, host</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rarangarajanspl
Explorer
03-30-2020
03:03 PM
HI Manjunath - Thank You Very Much.I use a submit button. Please find the code and help
1. As soon as i open the dash board, it's allowing to submit with all the fields only.I can submit by giving input to all the fileds. When i try to submit with 2 or 3 fileds, it's not allowing to submit.
2. When i try second time by deleting (backspace) a value in the field, it's getting auto submitted (once i click tab to move next filed). But, i can submit manually (i am not supposed to use tab)
3.I am currently working on input parameters only.Ignore the output params in the code.
4. Tried with Searchwhenchanged="False". No luck.
DemoDashBoard1
<input type="radio" token="test">
<label>SearchBy</label>
<choice value="1">Input</choice>
<choice value="2">Output</choice>
<change>
<condition value="1">
<set token="tkninput">true</set>
<unset token="tknoutput"></unset>
</condition>
<condition value="2">
<set token="tknoutput">true</set>
<unset token="tkninput"></unset>
</condition>
</change>
</input>
<input type="text" token="input1" depends="$tkninput$">
<label>Eventtype</label>
<change>
<condition value="">
<set token="input1">*</set>
</condition>
</change>
</input>
<input type="text" token="input2" depends="$tkninput$">
<label>TORID</label>
<change>
<condition value="">
<set token="input2">*</set>
</condition>
</change>
</input>
<input type="text" token="input3" depends="$tkninput$">
<label>SEC010Id</label>
<change>
<condition value="">
<set token="input3">*</set>
</condition>
</change>
</input>
<input type="text" token="input4" depends="$tkninput$">
<label>BUL010OrigId</label>
<change>
<condition value="">
<set token="input4">*</set>
</condition>
</change>
</input>
<input type="text" token="input5" depends="$tkninput$">
<label>BUL010DestinationId</label>
<change>
<condition value="">
<set token="input5">*</set>
</condition>
</change>
</input>
<input type="text" token="input6" depends="$tkninput$">
<label>SequencingNr</label>
<change>
<condition value="">
<set token="input6">*</set>
</condition>
</change>
</input>
<input type="text" token="output1" depends="$tknoutput$">
<label>businessEventTrigger</label>
</input>
<input type="text" token="output2" depends="$tknoutput$">
<label>rocsTourId</label>
</input>
<input type="text" token="output3" depends="$tknoutput$">
<label>rocsMovementId</label>
</input>
<input type="text" token="output4" depends="$tknoutput$">
<label>rocsOriginId</label>
</input>
<input type="text" token="output5" depends="$tknoutput$">
<label>rocsDestinationId</label>
</input>
<input type="text" token="output6" depends="$tknoutput$">
<label>tripLegSeqNbr</label>
</input>
<panel depends="$tkninput$">
<title>Input Panel</title>
<table>
<search>
<query>
index="demodashboard1" sourcetype="DemoDashBoard1" | xmlkv maxinputs=10000 | rename "nspJ:TOR010Id" as TORID "nspMMM:EventType" as EventType | search ns0:ProcessId (EventType = $input1$ OR businessEventTrigger) AND (TORID = $input2$ OR rocsTourId) AND (nspM:SEC010Id = $input3$ OR rocsMovementId) AND (nsSec:BUL010OrigId = $input4$ OR rocsOriginId) AND (nsSec:BUL010DestinationId = $input5$ OR rocsDestinationId) AND (nspM:SequencingNr = $input6$ OR tripLegSeqNbr) | table ns0:ProcessId EventType TORID nspM:SEC010Id nsSec:BUL010DestinationId nspM:SequencingNr businessEventTrigger rocsTourId rocsMovementId rocsDestinationId tripLegSeqNbr publishCd routeNm firstLegSchedDprtTmstp firstLegOrigin tripLegSeqNbr origin destination schedDprtTmstp
-15m
20
none
none
false
false
false
true
<title>Output Panel</title>
<table>
<search>
<query>
host="WTC-981558-L1" sourcetype=Mar16 source="TNTTRUCK_R2T - Copy.2020-03-05" | xmlkv maxinputs=10000 | rename "nspJ:TOR010Id" as TORID "nspMMM:EventType" as EventType|search ns0:ProcessId (EventType OR businessEventTrigger= $output1$) OR (TORID OR rocsTourId= $output2$) OR(nspM:SEC010Id OR rocsMovementId = $output3$) OR (nsSec:BUL010OrigId OR rocsOriginId = $output4$) OR (nsSec:BUL010DestinationId OR rocsDestinationId= $output5$) OR (nspM:SequencingNr OR tripLegSeqNbr= $output6$) |table ns0:ProcessId EventType TORID nspM:SEC010Id nsSec:BUL010DestinationId nspM:SequencingNr businessEventTrigger rocsTourId rocsMovementId rocsDestinationId tripLegSeqNbr publishCd routeNm firstLegSchedDprtTmstp firstLegOrigin tripLegSeqNbr origin destination schedDprtTmstp estDprtTmstp actlDprtTmstp schedArivTmstp estArivTmstp actlArivTmstp tripLegStatusCd scacCd routeType adhocFlg
| selfjoin ns0:ProcessId
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-30-2020
08:40 PM
This is happening as autoRun is set to "true" in fieldset element. Set autoRun to false and submitButton to "true".
<fieldset submitButton="true" autoRun="false">
<input type="radio" token="test">
....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-30-2020
10:38 AM
I see. now ,
what's your query?
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
