Dashboards & Visualizations

How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

NIGIFABIO
New Member

hi all,

I'm quite new to Splunk and I'm working to adapt a dashboard.
Now it takes as input a time and ip (text box).
I need to modify it to take multiple inputs with ; as delimiter
and formatted like this

ip, timestart, timefinish
ip, timestart. timefinish
...

I tried with multiselect and wrapping the query in () to expand, but it doesn't seem to be a good option.

Any help or suggestion or pre-built xml?

thanks,
Fabio

0 Karma

renjith_nair
Legend

Instead of concatenating tokens and then again split it , try below. sourcetype should be replaced by your ip's and search should be adjusted to your requirement

<form>
  <label>NIGIFABIO</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="sourcetype" searchWhenChanged="true">
      <label>Sourcetype</label>
      <search>
        <query>index=* |stats count by sourcetype</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>ip=</valuePrefix>
    </input>
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Source Type is $sourcetype$</title>
        <search>
          <query>index=* |stats count by sourcetype</query>
          <earliestTime>$time.earliest$</earliestTime>
          <latestTime>$time.latest$</latestTime>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂

NIGIFABIO
New Member

hello,
i tried your input method but when i try to put an ip or list of ip inside the box it result as :
"no matches found" in a popup in the box maybe the variable ip is saved as text?

0 Karma

renjith_nair
Legend

Its a multiselect box. So you can select only those values which are populated in the box. So either populate the box with your ips by a dynamic search by replacing index=* |stats count by sourcetype or add static values

http://docs.splunk.com/Documentation/Splunk/6.1/Viz/FormEditor#Specify_choices_with_static_options

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

sundareshr
Legend

Can you share more details? SimpleXML or AdvanacedXML? What does your search look like, how are these parameters being passed. Does the search return data if you were to add the params manually in the format as from the multi select box? Easiest would be to copy relevant parts of your dashboard code. Then someone will be able to assist

0 Karma

NIGIFABIO
New Member

sure here an example of what i have (source) the idea is to adapt as describer for the input above (thanks! )

IP Activity Clone
Displays activity on an IP address

<input type="text" token="field1">
  <label>IP Address</label>
  <default>*</default>
</input>
<input type="time" token="field2">
  <label></label>
  <default>
    <earliestTime>0</earliestTime>
    <latestTime></latestTime>
  </default>
</input>


<panel>
  <chart>
    <title>IP Activity Summary By Source</title>
    <searchString>index=* $field1$ NOT sourcetype=stash | stats count as total by sourcetype</searchString>
    <earliestTime>$field2.earliest$</earliestTime>
    <latestTime>$field2.latest$</latestTime>
0 Karma

renjith_nair
Legend

What should be your $field1$ looks like ip1;ip2;ip3 ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

NIGIFABIO
New Member

right now is a single ip for all the query of the dashboard ,

but it have to like:
10.0.0.1;11-19-2015;03:06:03;11-19-2015;07:50:38

(with multiple lines like this)

0 Karma

renjith_nair
Legend

Still didn't get your requirement. You want a token value as ip;starttime;endtime or you want to combine two different tokens say field1;field2 or you want to display the fields concatenated with ; and display as a table column?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

NIGIFABIO
New Member

sorry Renjith, my fault on explanation:
i want to pass a single tocken with multiple information on it, and i need to split it to use it in the query as multiple token

so if i imagine to pass something like
10.0.0.1;11-19-2015;03:06:03;11-19-2015;07:50:38
10.0.0.2;11-20-2015;03:06:03;11-20-2015;07:50:38
..
i need to split it to use it in a query in this way :
$ip$ $time1$ $time2$

and iterate on it as much line i have

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...