Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamic input value for tables

jonydupre
Path Finder
‎12-12-2019 04:27 AM

Hi all,

I currently have a table showing all used commands from a specific machine. Search is something like this:

source="/var/log/log"  | stats count by comm | table comm, count | sort by count desc | head 10

This shows the top 10 used commands. Now I would like to search for specific commands using an Input field and submit button.
I would imagine the search would be something like this:

source="/var/log/audit/audit.log" comm="*$Token_Name$*" | stats count by comm | table comm, count | sort by count desc | head 10

But I don't understand how I can use the input field to alter the existing table.. How should the input field be configured and how do I make the existing table use the input? Or does the input field create a table with given value?

I hope my question is clear..
Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎12-12-2019 04:33 AM

Hi

Try like

<form>
  <label>textfield</label>
  <fieldset submitButton="false">
    <input type="text" token="field1">
      <label>field1</label>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal" $field1$ | stats count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎12-12-2019 04:33 AM

Hi

Try like

<form>
  <label>textfield</label>
  <fieldset submitButton="false">
    <input type="text" token="field1">
      <label>field1</label>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal" $field1$ | stats count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

jonydupre
Path Finder
‎12-12-2019 04:42 AM

Thanks, should I replace the text in <query> </query> with my second query in the opening post?

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎12-12-2019 04:46 AM

yes, $field1$ is similar to your comm

0 Karma
Reply
Solved! Jump to solution

jonydupre
Path Finder
‎12-12-2019 04:49 AM

So in my situation like this:

<input type="text" token="field1">
      <label>field1</label>
       <default></default>
       <prefix>sourcetype="</prefix>
       <suffix>"</suffix>
       <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Gebruikte commando's</title>
      <chart>
        <search>
          <query>source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>

Can you explain the prefix, suffix en initialValue? What are their functions?

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎12-12-2019 04:53 AM

hi

Check this

<form>
  <fieldset>
    <input type="text" token="field1">
      <label>field1</label>
      <default></default>
      <prefix>comm="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Gebruikte commando's</title>
      <chart>
        <search>
          <query>source="/var/log/log" $field1$ | stats count by comm | table comm, count | sort by count desc | head 10</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

jonydupre
Path Finder
‎12-12-2019 05:00 AM

Thanks, but why use prefix/suffix? I could just put $field1$ in the search after comm=" right?

Like this:
source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10

And not use prefix/suffix in the input field, or is this not possible?

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎12-12-2019 05:01 AM

yes you can do.

0 Karma
Reply
Solved! Jump to solution

jonydupre
Path Finder
‎12-12-2019 06:33 AM

Ok thanks, it works now. But why would you use the suffix/preffix? Or is it a habit to use like that?

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎12-12-2019 04:53 AM

instead of giving in query like comm=$field1$ i'm building that in token itself

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...