Dashboards & Visualizations
Highlighted

How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

New Member

hi all,

I'm quite new to Splunk and I'm working to adapt a dashboard.
Now it takes as input a time and ip (text box).
I need to modify it to take multiple inputs with ; as delimiter
and formatted like this

ip, timestart, timefinish
ip, timestart. timefinish
...

I tried with multiselect and wrapping the query in () to expand, but it doesn't seem to be a good option.

Any help or suggestion or pre-built xml?

thanks,
Fabio

0 Karma
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

Legend

Can you share more details? SimpleXML or AdvanacedXML? What does your search look like, how are these parameters being passed. Does the search return data if you were to add the params manually in the format as from the multi select box? Easiest would be to copy relevant parts of your dashboard code. Then someone will be able to assist

0 Karma
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

New Member

sure here an example of what i have (source) the idea is to adapt as describer for the input above (thanks! )

IP Activity Clone
Displays activity on an IP address

<input type="text" token="field1">
  <label>IP Address</label>
  <default>*</default>
</input>
<input type="time" token="field2">
  <label></label>
  <default>
    <earliestTime>0</earliestTime>
    <latestTime></latestTime>
  </default>
</input>


<panel>
  <chart>
    <title>IP Activity Summary By Source</title>
    <searchString>index=* $field1$ NOT sourcetype=stash | stats count as total by sourcetype</searchString>
    <earliestTime>$field2.earliest$</earliestTime>
    <latestTime>$field2.latest$</latestTime>
0 Karma
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

SplunkTrust
SplunkTrust

What should be your $field1$ looks like ip1;ip2;ip3 ?

0 Karma
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

New Member

right now is a single ip for all the query of the dashboard ,

but it have to like:
10.0.0.1;11-19-2015;03:06:03;11-19-2015;07:50:38

(with multiple lines like this)

0 Karma
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

SplunkTrust
SplunkTrust

Still didn't get your requirement. You want a token value as ip;starttime;endtime or you want to combine two different tokens say field1;field2 or you want to display the fields concatenated with ; and display as a table column?

0 Karma
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

New Member

sorry Renjith, my fault on explanation:
i want to pass a single tocken with multiple information on it, and i need to split it to use it in the query as multiple token

so if i imagine to pass something like
10.0.0.1;11-19-2015;03:06:03;11-19-2015;07:50:38
10.0.0.2;11-20-2015;03:06:03;11-20-2015;07:50:38
..
i need to split it to use it in a query in this way :
$ip$ $time1$ $time2$

and iterate on it as much line i have

0 Karma
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

SplunkTrust
SplunkTrust

Instead of concatenating tokens and then again split it , try below. sourcetype should be replaced by your ip's and search should be adjusted to your requirement

<form>
  <label>NIGIFABIO</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="sourcetype" searchWhenChanged="true">
      <label>Sourcetype</label>
      <search>
        <query>index=* |stats count by sourcetype</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>ip=</valuePrefix>
    </input>
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Source Type is $sourcetype$</title>
        <search>
          <query>index=* |stats count by sourcetype</query>
          <earliestTime>$time.earliest$</earliestTime>
          <latestTime>$time.latest$</latestTime>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</form>
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

New Member

hello,
i tried your input method but when i try to put an ip or list of ip inside the box it result as :
"no matches found" in a popup in the box maybe the variable ip is saved as text?

0 Karma
Highlighted

Re: How to set up a form on a dashboard to take multiple inputs with a semi-colon as the delimiter to run searches?

SplunkTrust
SplunkTrust

Its a multiselect box. So you can select only those values which are populated in the box. So either populate the box with your ips by a dynamic search by replacing index=* |stats count by sourcetype or add static values

http://docs.splunk.com/Documentation/Splunk/6.1/Viz/FormEditor#Specify_choices_with_static_options

0 Karma