Hi all,
I currently have a table showing all used commands from a specific machine. Search is something like this:
source="/var/log/log" | stats count by comm | table comm, count | sort by count desc | head 10
This shows the top 10 used commands. Now I would like to search for specific commands using an Input field and submit button.
I would imagine the search would be something like this:
source="/var/log/audit/audit.log" comm="*$Token_Name$*" | stats count by comm | table comm, count | sort by count desc | head 10
But I don't understand how I can use the input field to alter the existing table.. How should the input field be configured and how do I make the existing table use the input? Or does the input field create a table with given value?
I hope my question is clear..
Thanks!
Hi
Try like
<form>
<label>textfield</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>field1</label>
<default>*</default>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" $field1$ | stats count by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Hi
Try like
<form>
<label>textfield</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>field1</label>
<default>*</default>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" $field1$ | stats count by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Thanks, should I replace the text in <query> </query>
with my second query in the opening post?
yes, $field1$
is similar to your comm
So in my situation like this:
<input type="text" token="field1">
<label>field1</label>
<default></default>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Gebruikte commando's</title>
<chart>
<search>
<query>source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
Can you explain the prefix, suffix en initialValue? What are their functions?
hi
Check this
<form>
<fieldset>
<input type="text" token="field1">
<label>field1</label>
<default></default>
<prefix>comm="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Gebruikte commando's</title>
<chart>
<search>
<query>source="/var/log/log" $field1$ | stats count by comm | table comm, count | sort by count desc | head 10</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</chart>
</panel>
</row>
</form>
Thanks, but why use prefix/suffix? I could just put $field1$ in the search after comm=" right?
Like this:
source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10
And not use prefix/suffix in the input field, or is this not possible?
yes you can do.
Ok thanks, it works now. But why would you use the suffix/preffix? Or is it a habit to use like that?
instead of giving in query like comm=$field1$
i'm building that in token itself