The following form is not behaving as intended. The tokens don't always make it through. I can verify this by clicking on the open in search link on the results and see that the token expanded to the default value. I've tried restarting splunk, and clearing browser data. Any ideas? Splunk 6.0 64bit running on Linux.
<form>
<label>Service Starts</label>
<description>Shows any service start, with time, host and service</description>
<fieldset>
<input type="text" token="server">
<label>Hosts to match</label>
<default>*</default>
</input>
<input type="text" token="svc">
<label>Service to match</label>
<default>ELTPGuardian</default>
</input>
<input type="time" searchWhenChanged="true">
<default>
<earliestTime>@d</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
</fieldset>
<row>
<table>
<searchString>host=$server$ sourcetype="WinEventLog:Application" started SourceName=$svc$ | transaction maxpause=10m pod SourceName | table _time pod host SourceName | rename SourceName as Service</searchString>
<earliestTime>$earliest$</earliestTime>
<latestTime>$latest$</latestTime>
<option name="count">50</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
</table>
</row>
</form>
Yes, clicking the submit. It is inconsistent. I've included a header in the results area now that echoes what the server field is. Sometimes it shows * even when I've clearly entered info (and clicked submit) and other times it works fine.
After entering a new value in the Server field, are you clicking the Submit button?
Default value gets applied on page load, as well as if no other value exists. If you want the ability to have an empty string as a value, then you should use
<form>
<label>Service Starts</label>
<description>Shows any service start, with time, host and service</description>
<fieldset autoRun="true" submitButton="true">
<input type="text" token="server">
<label>Hosts to match</label>
<default>*</default>
</input>
<input type="text" token="svc">
<label>Service to match</label>
<default>ELTPGuardian</default>
</input>
<input type="time" searchWhenChanged="true">
<default>
<earliestTime>@d</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
</fieldset>
<row>
<table>
<searchString>index=* host=$server$ sourcetype="WinEventLog:Application" started SourceName=$svc$ | transaction maxpause=10m pod SourceName | table _time pod host SourceName | rename SourceName as Service</searchString>
<earliestTime>$earliest$</earliestTime>
<latestTime>$latest$</latestTime>
<option name="showPager">true</option>
<option name="count">50</option>
<option name="displayRowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
</table>
</row>
</form>
Add index name in search string, submit button added to code click on submit button to view results. Showpager to display table also added to code.
Hi @d12harshal ,
I'm also facing the same issue, for multi dropdown dashboard token is not working in query search.
https://answers.splunk.com/answers/780873/multivalve-drilldown-and-dropdown-is-not-working-i.html
I put a value into the Server field, but the search executes with the default value of "*". If I remove the default value from the configs, i cannot submit the form. Splunk behaves as if it's empty even with a value in it. I'm using Chrome and Safari on OSX.
What specific behavior do you expect? And what behavior do you actually see?
When you click on Submit button, what query string you see in the URL?