Dashboards & Visualizations

Getting a form to work

Explorer

Can someone tell me why this doesn't work right? The time picker works when I change the time range but the host choice does not work, it always includes all hosts no matter what I choose in the form.

    <?xml version='1.0' encoding='utf-8'?>


<form>
  <label>Fail2ban Events</label>


  <fieldset>
    <input type="dropdown" token="host">
      <label>Host</label>
      <choice value="*">All Hosts</choice>
      <choice value="echo">Echo</choice>
      <choice value="zeus">Zeus</choice>
    </input>
      <!-- add default TimePicker -->
      <input type="time" />
  </fieldset>



  <label>Fail2ban</label>
  <row>
    <chart>

      <searchName>fail2ban_jail_time</searchName>
      <title>Fail2ban Jails</title>
    </chart>
  </row>
  <row>
    <chart>
      <searchName>Fail2Ban_IP</searchName>
      <title>Fail2ban IPs</title>
    </chart>
    <table>
<searchString>sourcetype=fail2ban host="*" jail!="spamdyke" banaction="Ban"  | top src_ip limit=10000</searchString>

      <title>Fail2ban IPs</title>
    </table>
  </row>
</form>
Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Hi there,

nik_splunk is right here.

Look you defined a token to be filled with the picked value from the host list:

<input type="dropdown" token="host">

This token is a kind of a placeholder for the picked value which should be handed over to your search.

sourcetype=fail2ban host=$host$ jail!="spamdyke" banaction="Ban" ...

See also documentation:

http://www.splunk.com/base/Documentation/4.1.4/Developer/Step2CustomizeForm

Happy Splunking!

Cheers,

Christian

0 Karma

Explorer

I got this to work by using instead of and using the token. And yes, I was trying to get all panels to use host. The saved searches were not picking up on the host. I figured if it would pick up on the time, it would get the host too. I guess there is something special about time where it works and other variables don't..

Splunk Employee
Splunk Employee

Hi deltatech,

do you want to add the selected host also to 'Fail2ban Jails' and 'Fail2ban IPs'? So you are using a saved search to fill this two panels, but of course the value for the picked host is not used in this search! Is it that what you mean here?
If yes, please let me know, because that one would be more sophisticated to do. Can you also post the saved searches here, so I can give you more help here?

0 Karma

Explorer

I tried that too and it still doesn't work. Also, note that I never mentioned time anywhere yet time does work. I am trying to get host to work for all panels, not just the one.

host=$host$ still ends up with all hosts no matter what I select.

0 Karma

Path Finder

Hi deltatech,

I guess you have to specify the host field as a token. So I suggest you to change into your search string

from

sourcetype=fail2ban host="*" jail!="spamdyke" banaction="Ban" ....

to

sourcetype=fail2ban host=$host$ jail!="spamdyke" banaction="Ban"  ...

Bye

nik_splunk