Dashboards & Visualizations

Dynamic input value for tables

Path Finder

Hi all,

I currently have a table showing all used commands from a specific machine. Search is something like this:

source="/var/log/log"  | stats count by comm | table comm, count | sort by count desc | head 10

This shows the top 10 used commands. Now I would like to search for specific commands using an Input field and submit button.
I would imagine the search would be something like this:

source="/var/log/audit/audit.log" comm="*$Token_Name$*" | stats count by comm | table comm, count | sort by count desc | head 10

But I don't understand how I can use the input field to alter the existing table.. How should the input field be configured and how do I make the existing table use the input? Or does the input field create a table with given value?

I hope my question is clear..
Thanks!

Tags (2)
0 Karma
1 Solution

Champion

Hi

Try like

<form>
  <label>textfield</label>
  <fieldset submitButton="false">
    <input type="text" token="field1">
      <label>field1</label>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal" $field1$ | stats count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

0 Karma

Champion

Hi

Try like

<form>
  <label>textfield</label>
  <fieldset submitButton="false">
    <input type="text" token="field1">
      <label>field1</label>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal" $field1$ | stats count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

0 Karma

Path Finder

Thanks, should I replace the text in <query> </query> with my second query in the opening post?

0 Karma

Champion

yes, $field1$ is similar to your comm

0 Karma

Path Finder

So in my situation like this:

<input type="text" token="field1">
      <label>field1</label>
       <default></default>
       <prefix>sourcetype="</prefix>
       <suffix>"</suffix>
       <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Gebruikte commando's</title>
      <chart>
        <search>
          <query>source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>

Can you explain the prefix, suffix en initialValue? What are their functions?

0 Karma

Champion

hi

Check this

<form>
  <fieldset>
    <input type="text" token="field1">
      <label>field1</label>
      <default></default>
      <prefix>comm="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Gebruikte commando's</title>
      <chart>
        <search>
          <query>source="/var/log/log" $field1$ | stats count by comm | table comm, count | sort by count desc | head 10</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </chart>
    </panel>
  </row>
</form>
0 Karma

Path Finder

Thanks, but why use prefix/suffix? I could just put $field1$ in the search after comm=" right?

Like this:
source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10

And not use prefix/suffix in the input field, or is this not possible?

0 Karma

Champion

yes you can do.

0 Karma

Path Finder

Ok thanks, it works now. But why would you use the suffix/preffix? Or is it a habit to use like that?

0 Karma

Champion

instead of giving in query like comm=$field1$ i'm building that in token itself

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!