- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add Logical AND or logical OR in splunk dashboard
how to get add a radio button or a checkbox for the user selection of Index and the Sourcetype, to select between logically AND or logical OR between the Index and the Sourcetype. This will allow to view in one selection searches that could be performed by users either by the index or by the sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a dropdown or radio buttons to select either "index" or "sourcetype" and use that token in your search
$type_of_search$=$value_of_search$- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please give me some example because i need to use this into ad-hoc search and saved search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tokens are used in dashboards - how does this relate to ad-hoc or saved searches? Are these part of your dashboard?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes its part of my dashboard, for example if i select checkbox or radio button ( logical AND or Logical OR) will show the result accordingly in panel either is simple search or any other panels.
could you please give me example search to define the token
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share the source of your dashboard in a code block for ease of understanding
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<form theme="light">
<label>Logical Test</label>
<fieldset submitButton="true" autoRun="false">
<input type="checkbox" token="command" searchWhenChanged="false">
<label>Logically OR'ed Search Command</label>
<default>*</default>
<initialValue>*</initialValue>
<choice value="*">Index</choice>
<choice value="**">SourceType</choice>
<choice value="***">Index OR Sourcetype</choice>
</input>
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Search</title>
<table>
<search>
<progress>
<set token="adhoc"></set>
</progress>
<query>index=_audit sourcetype=audittrail info!=granted
| rex field=_raw "search=\'(?<search>.*)\',"
| rex field=search max_match=0 "[\w^]*index=\s*\"*(?<idx>[^\s\"]+)"
| rex field=search max_match=0 "sourcetype=[\"]?(?<st>[\S]+)"
| table search user idx st</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">none</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="time_ago(seconds)">
<option name="precision">0</option>
</format>
<format type="number" field="seconds_ago">
<option name="precision">0</option>
</format>
<format type="number" field="exec_time">
<option name="precision">0</option>
</format>
<format type="number" field="search_lt">
<option name="precision">0</option>
</format>
<format type="number" field="search_et">
<option name="precision">0</option>
<option name="useThousandSeparators">false</option>
</format>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
<input type="checkbox" token="command" searchWhenChanged="false">
<label>Logically OR'ed Search Command</label>
<default>index=_audit</default>
<initialValue>index=_audit</initialValue>
<choice value="index=_audit">Index</choice>
<choice value="sourcetype=audittrail">SourceType</choice>
<choice value="index=_audit OR sourcetype=audittrail">Index OR Sourcetype</choice>
</input>
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Search</title>
<table>
<search>
<progress>
<set token="adhoc"></set>
</progress>
<query>$command$ info!=granted- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for custom index in splunk not audit index used in choice.
I have extracted the idx st using rex in 3rd lineof my query, so i need to select either index=aws or sourcetype=aws;cloud in checkbox
<form theme="light">
<label>Logical Test</label>
<fieldset submitButton="true" autoRun="false">
<input type="multiselect" token="index">
<label>Index</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>index_name</fieldForLabel>
<fieldForValue>index_name</fieldForValue>
<search>
<query>| REST /services/data/indexes |dedup title | rename title as index_name | table "index_name"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<delimiter>","</delimiter>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="sourcetype_name">
<label>Sourcetype</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>sourcetype_name</fieldForLabel>
<fieldForValue>sourcetype_name</fieldForValue>
<search>
<query>| tstats count WHERE index IN ("$index$") by sourcetype | rename sourcetype as sourcetype_name</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<delimiter>","</delimiter>
<initialValue>*</initialValue>
</input>
<input type="checkbox" token="field3">
<label>Logical</label>
<choice value="index_name=index AND sourcetype_name=sourcetype">Index AND Sourcetype</choice>
<choice value="index_name=index OR sourcetype_name=sourcetype">Index OR Sourcetype</choice>
<delimiter> </delimiter>
</input>
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Search</title>
<table>
<search>
<progress>
<set token="adhoc"></set>
</progress>
<query>index=_audit sourcetype=audittrail info!=granted provenance="UI:Search"
| rex field=_raw "search=\'(?<search>.*)\',"
| rex field=search max_match=0 "[\w^]*index=\s*\"*(?<index_name>[^\s\"]+)"
| rex field=search max_match=0 "sourcetype=[\"]?(?<sourcetype_name>[\S]+)"
| where isnotnull(search)
| search $field3$
| rename info as Completion
| table _time index_name sourcetype_name search, user
| rename user as "accessed by"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">none</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="time_ago(seconds)">
<option name="precision">0</option>
</format>
<format type="number" field="seconds_ago">
<option name="precision">0</option>
</format>
<format type="number" field="exec_time">
<option name="precision">0</option>
</format>
<format type="number" field="search_lt">
<option name="precision">0</option>
</format>
<format type="number" field="search_et">
<option name="precision">0</option>
<option name="useThousandSeparators">false</option>
</format>
</table>
</panel>
</row>
</form>
