Solved: Re: How do you add additional sub search by check ...

appleman · ‎05-10-2015

Hello,

I want to add sub search by just checking a check box on dashboard.
How do you do that?

Here is my main search below.
source=applications id=M1 (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 | stats count by name

And I want to add the sub search on main search like this.
source=applications id=M1 (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 [search earliest=-24h@h latest=now source=corporation (id=M1 OR id=M2* OR id=M3*) host!=test number!=1234 name!=test (contract_status=0 OR contract_status_a=0 OR contract_status_p=0) | dedup id | table id] | stats count by name

I added the source on simple XML, but it didn't work.

<form>
<label>App</label>
<description/>
<fieldset submitButton="false">
<input type="radio" token="dm" searchWhenChanged="true">
<label>host</label>
<choice value="id=M4*">include</choice>
<choice value="id!=M4*">exclude</choice>
<default>id=M4*</default>
</input>
<input type="checkbox" token="contract" searchWhenChanged="true">
<label>Contract Status</label>
<populatingSearch fieldForLabel="contracted" fieldForValue="id">[search earliest=-24h@h latest=now source=corporation (id=M1 OR id=M2* OR id=M3*) host!=test number!=1234 name!=test (contract_status=0 OR contract_status_a=0 OR contract_status_p=0) | dedup id | table id]</populatingSearch>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Install List</title>
<searchString>source=applications id=M1 $dm$ $contract$ (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 | stats count by name</searchString>
<earliestTime>-7d@h</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form

Thank you.

jeffland · ‎05-11-2015

You could simply place your two searches in a string each and use javascript to set the search manager to the right one depending on whether the box is selected or deselected. Have a look here to see the options available to listen to check box changes and change search manager settings, and here for an example.

View solution in original post

rbreton · ‎07-27-2017

I wonder if something like this would be easier. It is all created using just the Dashboard creation UI.

<form>
  <label>sub search by check box on dashboard</label>
  <fieldset submitButton="false">
    <input type="radio" token="tok_subsearch" searchWhenChanged="true">
      <label>subsearch</label>
      <choice value="[ search index=wineventlog host=ndca* | table host ]">Enabled</choice>
      <choice value="">Disabled</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=wineventlog $tok_subsearch$

| table host</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

jeffland · ‎05-11-2015

You could simply place your two searches in a string each and use javascript to set the search manager to the right one depending on whether the box is selected or deselected. Have a look here to see the options available to listen to check box changes and change search manager settings, and here for an example.

How do you add additional sub search by check box on dashboard?

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All