Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In a dashboard, how do you show a panel and run a search after text input?

_smp_
Builder
‎02-19-2019 09:28 AM

I am trying to design a dashboard with two text inputs. When the page initially loads, I only want to display the inputs. After the user submits data into either input, I would like the dashboard to do two things:
1) Execute a search in a hidden panel that adds events to an index
2) Displays an additional panel that shows all the events in the index, including the new ones.

I have successfully configured the dashboard to hide the panel and run the search when data is input, but I cannot seem to figure out a way with change/condition to hide the second panel until after the search in the hidden panel is run. I can't figure out how to hide it, and when it is displayed, it always executes when the page is initially loaded.

Beyond this, the input does not seem to work when data is inputted a second time. I add some data and hit enter, but nothing happens.

I'm pretty embarrassed to post this as I am having a very difficult time getting a handle on Simple XML, but here's where I'm currently at. I've tried a bunch of various things.

<form script="showtokens.js">
  <label>Threat Feed Inputs</label>
  <description>Enter a COMMA-DELIMITED list of IP addresses or URLs.</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="text" token="iplist" searchWhenChanged="true">
      <label>IP List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
        </condition>
      </change>
    </input>
    <input type="text" token="urllist" searchWhenChanged="true">
      <label>URL List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$submit$">
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval iplist=$iplist$, type="ip"
| makemv iplist
| mvexpand iplist
| makemv delim="," iplist
| eval iplist=mvdedup(iplist)
| mvexpand iplist
| eval threatfeed_ip=iplist
| fields - iplist
| addinfo
| collect index="threatfeed"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval urllist=$urllist$, type="url"
| makemv urllist
| mvexpand urllist
| makemv delim="," urllist
| eval urllist=mvdedup(urllist)
| mvexpand urllist
| eval threatfeed_url=urllist
| fields - urllist
| addinfo 
| collect index=threatfeed</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$submit$">
    <panel>
      <table>
        <search>
          <query>index=threatfeed | table _time, threatfeed_*</query>
          <earliest>0</earliest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎02-21-2019 05:05 AM

Hi @scottprigge

Try this and let me know.

<form script="showtokens.js">
  <label>Threat Feed Inputs</label>
  <description>Enter a COMMA-DELIMITED list of IP addresses or URLs.</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="text" token="iplist" searchWhenChanged="true">
      <label>IP List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
         <unset token="show_panel"></unset>
        </condition>

      </change>
    </input>
    <input type="text" token="urllist" searchWhenChanged="true">
      <label>URL List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
          <unset token="show_panel"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$submit$">
    <panel>
      <table>
        <search>
          <query>| makeresults
 | eval iplist=$iplist$, type="ip"
 | makemv iplist
 | mvexpand iplist
 | makemv delim="," iplist
 | eval iplist=mvdedup(iplist)
 | mvexpand iplist
 | eval threatfeed_ip=iplist
 | fields - iplist
 | addinfo
 | collect index="threatfeed"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="show_panel">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| makeresults
 | eval urllist=$urllist$, type="url"
 | makemv urllist
 | mvexpand urllist
 | makemv delim="," urllist
 | eval urllist=mvdedup(urllist)
 | mvexpand urllist
 | eval threatfeed_url=urllist
 | fields - urllist
 | addinfo 
 | collect index=threatfeed</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="show_panel">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$show_panel$">
    <panel>
      <table>
        <search>
          <query>index=threatfeed |fields $show_panel$,  _time, threatfeed_* | table _time, threatfeed_*</query>
          <earliest>0</earliest>

        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎02-21-2019 05:05 AM

Hi @scottprigge

Try this and let me know.

<form script="showtokens.js">
  <label>Threat Feed Inputs</label>
  <description>Enter a COMMA-DELIMITED list of IP addresses or URLs.</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="text" token="iplist" searchWhenChanged="true">
      <label>IP List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
         <unset token="show_panel"></unset>
        </condition>

      </change>
    </input>
    <input type="text" token="urllist" searchWhenChanged="true">
      <label>URL List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
          <unset token="show_panel"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$submit$">
    <panel>
      <table>
        <search>
          <query>| makeresults
 | eval iplist=$iplist$, type="ip"
 | makemv iplist
 | mvexpand iplist
 | makemv delim="," iplist
 | eval iplist=mvdedup(iplist)
 | mvexpand iplist
 | eval threatfeed_ip=iplist
 | fields - iplist
 | addinfo
 | collect index="threatfeed"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="show_panel">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| makeresults
 | eval urllist=$urllist$, type="url"
 | makemv urllist
 | mvexpand urllist
 | makemv delim="," urllist
 | eval urllist=mvdedup(urllist)
 | mvexpand urllist
 | eval threatfeed_url=urllist
 | fields - urllist
 | addinfo 
 | collect index=threatfeed</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="show_panel">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$show_panel$">
    <panel>
      <table>
        <search>
          <query>index=threatfeed |fields $show_panel$,  _time, threatfeed_* | table _time, threatfeed_*</query>
          <earliest>0</earliest>

        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

_smp_
Builder
‎02-26-2019 07:20 AM

Thank you for the response. This is clever! I wanted the dashboard to always display the bottom panel - when the dashboard is first loaded, or any time a new entry is added to one of the inputs. I just had to change the element to and it did exactly what I wanted it to do.

Thanks!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...