Dashboards & Visualizations

How to use user input token in Checkbox value in Splunk Dashboard?

surajp
New Member

I am on Splunk 8.1 trying to create a dynamic dashboard. I am trying to create a multisearch query, the searches for which will be based on the checkboxes that the user clicks.

 

<input type="time" token="field1">
    <label>Time</label>
    <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
    </default>
</input>
<input type="text" token="userinput1">
    <label>User Input 1</label>
</input>
<input type="text" token="userinput2">
    <label>User Input 2</label>
</input>
<input type="checkbox" token="indexesSelected" searchWhenChanged="true">
    <label>Indexes</label>
    <choice value="[search index=index1 $userinput1$ $userinput2$]">Index 1</choice>
    <choice value="[search index=index2 $userinput1$ $userinput2$]">Index 2</choice>
    <default></default>
    <initialValue></initialValue>
    <delimiter> </delimiter>
    <prefix>| multisearch [eval test1="test1"] [eval test2="test2"] </prefix>
</input>

 

The search part looks like this:

 

<search>
    <query>$indexesSelected$ 
        | table _time, index, field1, field2, field3, field4 
        | sort Time
    </query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
</search>

 

 

This works as expected except that the final query looks like this:

| multisearch [eval test1="test1"] [eval test2="test2"]
[search index=index1 $userinput1$ $userinput2$]
[search index=index2 $userinput1$ $userinput2$]

How can I make these $userinput1$ and $userinput2$ be converted to their token value from the user inputs in the dashboard and not as literal strings.

I have tried to use <change> tags to use eval and set based on the <condition> that the user selects, but eval does not allow token value and replaces with literal strings only. Something like this:

 

<change>
    <condition match="like($indexesSelected$,&quot;%index1%&quot;)">
        <eval token="finalQuery">replace($indexesSelected$,"index1", "[search index=index1 $userinput1$ $userinput2$]")</eval>
    </condition>
    <condition match="like($indexesSelected$,&quot;%index2%&quot;)">
        <eval token="finalQuery">replace($indexesSelected$,"index2", "[search index=index2 $userinput1$ $userinput2$]")</eval>
    </condition>
</change>

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...