- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do I add a check box to change my search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am really struggling with two checkboxes to change my search queries.
I may be losing my time with the wrong input choice. Please tell me if I'm lost.
I want to add a checkbox to change my SPL:
-For the first one, I just want to add "id!=XYZ" to exclude something from the search
-And in another panel, I want my:
| timechart count as ABC
to become:
|timechart dc(id) as ABC
Am I the only one not understanding the Token options (prefix/suffix value, delimiter etc)?
Any help would be appreciated. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@salpaysog Try the following run anywhere example to test how the search query is formed based on check box selected and un checked. You can code checkbox input's <change> event handler to set the required tokens.
<form>
<label>Checkbox to set query</label>
<fieldset submitButton="false"></fieldset>
<init>
<set token="tokSearchFilter"> </set>
<set token="tokStatsFunction">count</set>
</init>
<row>
<panel>
<input type="checkbox" token="tokFirstCheckBox">
<label></label>
<choice value="set">Set !=XYZ Filter</choice>
<delimiter> </delimiter>
<change>
<condition value="set">
<set token="tokSearchFilter">id!=XYZ</set>
</condition>
<condition>
<set token="tokSearchFilter"> </set>
</condition>
</change>
</input>
<html>
<div>Search Query:</div>
<div>
<pre>index = onelogin sourcetype = onelogin:event app_name != null
$tokSearchFilter$
$events_app_event_selector$
| rename app_name AS APP_NAME
| dedup $events_app_unique$
| stats count by APP_NAME
| sort count desc</pre>
</div>
</html>
</panel>
<panel>
<input type="checkbox" token="tokSecondCheckBox">
<label></label>
<choice value="set">Set Disctinct UserID</choice>
<delimiter> </delimiter>
<change>
<condition value="set">
<set token="tokStatsFunction">dc(user_id)</set>
</condition>
<condition>
<set token="tokStatsFunction">count</set>
</condition>
</change>
</input>
<html>
<div>Search Query:</div>
<div>
<pre>index="onelogin" sourcetype="onelogin:event" eventtype="onelogin_event_login_to_onelogin_success"
| dedup id
| timechart $tokStatsFunction$ AS Successful_Logins</pre>
</div>
</html>
</panel>
</row>
</form>
PS: <init> section has been used to initialize the tokens to be applied to search when dashboard loads.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@salpaysog Try the following run anywhere example to test how the search query is formed based on check box selected and un checked. You can code checkbox input's <change> event handler to set the required tokens.
<form>
<label>Checkbox to set query</label>
<fieldset submitButton="false"></fieldset>
<init>
<set token="tokSearchFilter"> </set>
<set token="tokStatsFunction">count</set>
</init>
<row>
<panel>
<input type="checkbox" token="tokFirstCheckBox">
<label></label>
<choice value="set">Set !=XYZ Filter</choice>
<delimiter> </delimiter>
<change>
<condition value="set">
<set token="tokSearchFilter">id!=XYZ</set>
</condition>
<condition>
<set token="tokSearchFilter"> </set>
</condition>
</change>
</input>
<html>
<div>Search Query:</div>
<div>
<pre>index = onelogin sourcetype = onelogin:event app_name != null
$tokSearchFilter$
$events_app_event_selector$
| rename app_name AS APP_NAME
| dedup $events_app_unique$
| stats count by APP_NAME
| sort count desc</pre>
</div>
</html>
</panel>
<panel>
<input type="checkbox" token="tokSecondCheckBox">
<label></label>
<choice value="set">Set Disctinct UserID</choice>
<delimiter> </delimiter>
<change>
<condition value="set">
<set token="tokStatsFunction">dc(user_id)</set>
</condition>
<condition>
<set token="tokStatsFunction">count</set>
</condition>
</change>
</input>
<html>
<div>Search Query:</div>
<div>
<pre>index="onelogin" sourcetype="onelogin:event" eventtype="onelogin_event_login_to_onelogin_success"
| dedup id
| timechart $tokStatsFunction$ AS Successful_Logins</pre>
</div>
</html>
</panel>
</row>
</form>
PS: <init> section has been used to initialize the tokens to be applied to search when dashboard loads.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's it thank you! I saw some xml with the and tags but I was having trouble to figure out their use.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad you got it to work 🙂
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the prefix/suffix value and delimiters are usually used when you do a multi select to allow more than one selection.
ex: field = (value1 OR value2 OR value3)
- the prefix is (
- the suffix is )
- the delimiter is OR
Can you share some of your XML and your queries? we can help better if we can see more specifically wat you are looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the first one my query is:
index = onelogin sourcetype = onelogin:event app_name != null
$excludeX$
$events_app_event_selector$
| rename app_name AS APP_NAME
| dedup $events_app_unique$
| stats count by APP_NAME
| sort count desc
when the checkbox is selected, I want $excludeX$ to become id!=XYZ. When it is not selected I want it to be empty.
the second one:
I want this search:
index="onelogin" sourcetype="onelogin:event" eventtype="onelogin_event_login_to_onelogin_success"
| dedup id
| timechart count AS Successful_Logins
to become:
index="onelogin" sourcetype="onelogin:event" eventtype="onelogin_event_login_to_onelogin_success"
| dedup id
| timechart distinct_count*(user_id)* AS Successful_Logins
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@salpaysog do you have a single checkbox based on which you want two searches to change? Or do you have two separate check boxes one for each Search and based on checked or unchecked do you want to change corresponding search?
Mockup screenshot of what you have and what you want would help us assist you better. Also if possible please add simple XML code. While posting code make sure you use the code button i.e. 101010 or keyboard shortcut Ctrl+G to ensure that special characters do not escape.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry it wasn't clear. I have two different checkboxes for each query and I want to change corresponding search based on checked or unchecked boxes.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
