Dashboards & Visualizations
Highlighted

How do I add a check box to change my search?

Explorer

I am really struggling with two checkboxes to change my search queries.

I may be losing my time with the wrong input choice. Please tell me if I'm lost.

I want to add a checkbox to change my SPL:

-For the first one, I just want to add "id!=XYZ" to exclude something from the search

-And in another panel, I want my:

| timechart count as ABC

to become:

|timechart dc(id) as ABC

Am I the only one not understanding the Token options (prefix/suffix value, delimiter etc)?

Any help would be appreciated. Thanks in advance.

Highlighted

Re: How do I add a check box to change my search?

Motivator

the prefix/suffix value and delimiters are usually used when you do a multi select to allow more than one selection.

ex: field = (value1 OR value2 OR value3)
- the prefix is (
- the suffix is )
- the delimiter is OR

Can you share some of your XML and your queries? we can help better if we can see more specifically wat you are looking for.

0 Karma
Highlighted

Re: How do I add a check box to change my search?

Explorer

For the first one my query is:

index = onelogin sourcetype = onelogin:event appname != null

$excludeX$
$events
appeventselector$
| rename appname AS APPNAME
| dedup $eventsappunique$
| stats count by APP_NAME
| sort count desc

when the checkbox is selected, I want $excludeX$ to become id!=XYZ. When it is not selected I want it to be empty.

the second one:

I want this search:

index="onelogin" sourcetype="onelogin:event" eventtype="onelogineventlogintooneloginsuccess"
| dedup id

| timechart count AS Successful
Logins

to become:

index="onelogin" sourcetype="onelogin:event" eventtype="onelogineventlogintooneloginsuccess"
| dedup id

| timechart **distinct
count(userid)** AS SuccessfulLogins

0 Karma
Highlighted

Re: How do I add a check box to change my search?

Legend

@salpaysog do you have a single checkbox based on which you want two searches to change? Or do you have two separate check boxes one for each Search and based on checked or unchecked do you want to change corresponding search?

Mockup screenshot of what you have and what you want would help us assist you better. Also if possible please add simple XML code. While posting code make sure you use the code button i.e. 101010 or keyboard shortcut Ctrl+G to ensure that special characters do not escape.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How do I add a check box to change my search?

Explorer

Sorry it wasn't clear. I have two different checkboxes for each query and I want to change corresponding search based on checked or unchecked boxes.

0 Karma
Highlighted

Re: How do I add a check box to change my search?

Legend

@salpaysog Try the following run anywhere example to test how the search query is formed based on check box selected and un checked. You can code checkbox input's <change> event handler to set the required tokens.

<form>
  <label>Checkbox to set query</label>
  <fieldset submitButton="false"></fieldset>
  <init>
    <set token="tokSearchFilter"> </set>
    <set token="tokStatsFunction">count</set>
  </init>
  <row>
    <panel>
      <input type="checkbox" token="tokFirstCheckBox">
        <label></label>
        <choice value="set">Set !=XYZ Filter</choice>
        <delimiter> </delimiter>
        <change>
          <condition value="set">
            <set token="tokSearchFilter">id!=XYZ</set>
          </condition>
          <condition>
            <set token="tokSearchFilter"> </set>          
          </condition>
        </change>        
      </input>
      <html>
        <div>Search Query:</div>
        <div>
          <pre>index = onelogin sourcetype = onelogin:event app_name != null 
$tokSearchFilter$
$events_app_event_selector$ 
| rename app_name AS APP_NAME
| dedup $events_app_unique$
| stats count by APP_NAME
| sort count desc</pre>
        </div>
      </html>
    </panel>
    <panel>
      <input type="checkbox" token="tokSecondCheckBox">
        <label></label>
        <choice value="set">Set Disctinct UserID</choice>
        <delimiter> </delimiter>
        <change>
          <condition value="set">
            <set token="tokStatsFunction">dc(user_id)</set>
          </condition>
          <condition>
            <set token="tokStatsFunction">count</set>          
          </condition>
        </change>
      </input>
      <html>
        <div>Search Query:</div>
        <div>
          <pre>index="onelogin" sourcetype="onelogin:event" eventtype="onelogin_event_login_to_onelogin_success" 
| dedup id 
| timechart $tokStatsFunction$ AS Successful_Logins</pre>
        </div>
      </html>
    </panel>
  </row>
</form>

PS: <init> section has been used to initialize the tokens to be applied to search when dashboard loads.




| eval message="Happy Splunking!!!"


View solution in original post

Highlighted

Re: How do I add a check box to change my search?

Explorer

That's it thank you! I saw some xml with the and tags but I was having trouble to figure out their use.

Highlighted

Re: How do I add a check box to change my search?

Legend

Glad you got it to work 🙂




| eval message="Happy Splunking!!!"


0 Karma