Dashboards & Visualizations

How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

NIGIFABIO
New Member

hi all,

I'm quite new to Splunk and I'm working to adapt a dashboard.
Now it takes as input a time and ip (text box).
I need to modify it to take multiple inputs with ; as delimiter
and formatted like this

ip, timestart, timefinish
ip, timestart. timefinish
...

I tried with multiselect and wrapping the query in () to expand, but it doesn't seem to be a good option.

Any help or suggestion or pre-built xml?

thanks,
Fabio

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Instead of concatenating tokens and then again split it , try below. sourcetype should be replaced by your ip's and search should be adjusted to your requirement

<form>
  <label>NIGIFABIO</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="sourcetype" searchWhenChanged="true">
      <label>Sourcetype</label>
      <search>
        <query>index=* |stats count by sourcetype</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>ip=</valuePrefix>
    </input>
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Source Type is $sourcetype$</title>
        <search>
          <query>index=* |stats count by sourcetype</query>
          <earliestTime>$time.earliest$</earliestTime>
          <latestTime>$time.latest$</latestTime>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!

NIGIFABIO
New Member

hello,
i tried your input method but when i try to put an ip or list of ip inside the box it result as :
"no matches found" in a popup in the box maybe the variable ip is saved as text?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Its a multiselect box. So you can select only those values which are populated in the box. So either populate the box with your ips by a dynamic search by replacing index=* |stats count by sourcetype or add static values

http://docs.splunk.com/Documentation/Splunk/6.1/Viz/FormEditor#Specify_choices_with_static_options

Happy Splunking!
0 Karma

sundareshr
Legend

Can you share more details? SimpleXML or AdvanacedXML? What does your search look like, how are these parameters being passed. Does the search return data if you were to add the params manually in the format as from the multi select box? Easiest would be to copy relevant parts of your dashboard code. Then someone will be able to assist

0 Karma

NIGIFABIO
New Member

sure here an example of what i have (source) the idea is to adapt as describer for the input above (thanks! )

IP Activity Clone
Displays activity on an IP address

<input type="text" token="field1">
  <label>IP Address</label>
  <default>*</default>
</input>
<input type="time" token="field2">
  <label></label>
  <default>
    <earliestTime>0</earliestTime>
    <latestTime></latestTime>
  </default>
</input>


<panel>
  <chart>
    <title>IP Activity Summary By Source</title>
    <searchString>index=* $field1$ NOT sourcetype=stash | stats count as total by sourcetype</searchString>
    <earliestTime>$field2.earliest$</earliestTime>
    <latestTime>$field2.latest$</latestTime>
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

What should be your $field1$ looks like ip1;ip2;ip3 ?

Happy Splunking!
0 Karma

NIGIFABIO
New Member

right now is a single ip for all the query of the dashboard ,

but it have to like:
10.0.0.1;11-19-2015;03:06:03;11-19-2015;07:50:38

(with multiple lines like this)

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Still didn't get your requirement. You want a token value as ip;starttime;endtime or you want to combine two different tokens say field1;field2 or you want to display the fields concatenated with ; and display as a table column?

Happy Splunking!
0 Karma

NIGIFABIO
New Member

sorry Renjith, my fault on explanation:
i want to pass a single tocken with multiple information on it, and i need to split it to use it in the query as multiple token

so if i imagine to pass something like
10.0.0.1;11-19-2015;03:06:03;11-19-2015;07:50:38
10.0.0.2;11-20-2015;03:06:03;11-20-2015;07:50:38
..
i need to split it to use it in a query in this way :
$ip$ $time1$ $time2$

and iterate on it as much line i have

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...