Dashboards & Visualizations

In a dashboard, how do you show a panel and run a search after text input?

_smp_
Builder

I am trying to design a dashboard with two text inputs. When the page initially loads, I only want to display the inputs. After the user submits data into either input, I would like the dashboard to do two things:
1) Execute a search in a hidden panel that adds events to an index
2) Displays an additional panel that shows all the events in the index, including the new ones.

I have successfully configured the dashboard to hide the panel and run the search when data is input, but I cannot seem to figure out a way with change/condition to hide the second panel until after the search in the hidden panel is run. I can't figure out how to hide it, and when it is displayed, it always executes when the page is initially loaded.

Beyond this, the input does not seem to work when data is inputted a second time. I add some data and hit enter, but nothing happens.

I'm pretty embarrassed to post this as I am having a very difficult time getting a handle on Simple XML, but here's where I'm currently at. I've tried a bunch of various things.

<form script="showtokens.js">
  <label>Threat Feed Inputs</label>
  <description>Enter a COMMA-DELIMITED list of IP addresses or URLs.</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="text" token="iplist" searchWhenChanged="true">
      <label>IP List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
        </condition>
      </change>
    </input>
    <input type="text" token="urllist" searchWhenChanged="true">
      <label>URL List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$submit$">
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval iplist=$iplist$, type="ip"
| makemv iplist
| mvexpand iplist
| makemv delim="," iplist
| eval iplist=mvdedup(iplist)
| mvexpand iplist
| eval threatfeed_ip=iplist
| fields - iplist
| addinfo
| collect index="threatfeed"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval urllist=$urllist$, type="url"
| makemv urllist
| mvexpand urllist
| makemv delim="," urllist
| eval urllist=mvdedup(urllist)
| mvexpand urllist
| eval threatfeed_url=urllist
| fields - urllist
| addinfo 
| collect index=threatfeed</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$submit$">
    <panel>
      <table>
        <search>
          <query>index=threatfeed | table _time, threatfeed_*</query>
          <earliest>0</earliest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
1 Solution

vnravikumar
Champion

Hi @scottprigge

Try this and let me know.

<form script="showtokens.js">
  <label>Threat Feed Inputs</label>
  <description>Enter a COMMA-DELIMITED list of IP addresses or URLs.</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="text" token="iplist" searchWhenChanged="true">
      <label>IP List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
         <unset token="show_panel"></unset>
        </condition>

      </change>
    </input>
    <input type="text" token="urllist" searchWhenChanged="true">
      <label>URL List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
          <unset token="show_panel"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$submit$">
    <panel>
      <table>
        <search>
          <query>| makeresults
 | eval iplist=$iplist$, type="ip"
 | makemv iplist
 | mvexpand iplist
 | makemv delim="," iplist
 | eval iplist=mvdedup(iplist)
 | mvexpand iplist
 | eval threatfeed_ip=iplist
 | fields - iplist
 | addinfo
 | collect index="threatfeed"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="show_panel">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| makeresults
 | eval urllist=$urllist$, type="url"
 | makemv urllist
 | mvexpand urllist
 | makemv delim="," urllist
 | eval urllist=mvdedup(urllist)
 | mvexpand urllist
 | eval threatfeed_url=urllist
 | fields - urllist
 | addinfo 
 | collect index=threatfeed</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="show_panel">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$show_panel$">
    <panel>
      <table>
        <search>
          <query>index=threatfeed |fields $show_panel$,  _time, threatfeed_* | table _time, threatfeed_*</query>
          <earliest>0</earliest>

        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

vnravikumar
Champion

Hi @scottprigge

Try this and let me know.

<form script="showtokens.js">
  <label>Threat Feed Inputs</label>
  <description>Enter a COMMA-DELIMITED list of IP addresses or URLs.</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="text" token="iplist" searchWhenChanged="true">
      <label>IP List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
         <unset token="show_panel"></unset>
        </condition>

      </change>
    </input>
    <input type="text" token="urllist" searchWhenChanged="true">
      <label>URL List</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <change>
        <condition>
          <set token="submit">true</set>
          <unset token="show_panel"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$submit$">
    <panel>
      <table>
        <search>
          <query>| makeresults
 | eval iplist=$iplist$, type="ip"
 | makemv iplist
 | mvexpand iplist
 | makemv delim="," iplist
 | eval iplist=mvdedup(iplist)
 | mvexpand iplist
 | eval threatfeed_ip=iplist
 | fields - iplist
 | addinfo
 | collect index="threatfeed"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="show_panel">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| makeresults
 | eval urllist=$urllist$, type="url"
 | makemv urllist
 | mvexpand urllist
 | makemv delim="," urllist
 | eval urllist=mvdedup(urllist)
 | mvexpand urllist
 | eval threatfeed_url=urllist
 | fields - urllist
 | addinfo 
 | collect index=threatfeed</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="show_panel">true</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$show_panel$">
    <panel>
      <table>
        <search>
          <query>index=threatfeed |fields $show_panel$,  _time, threatfeed_* | table _time, threatfeed_*</query>
          <earliest>0</earliest>

        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

_smp_
Builder

Thank you for the response. This is clever! I wanted the dashboard to always display the bottom panel - when the dashboard is first loaded, or any time a new entry is added to one of the inputs. I just had to change the element to and it did exactly what I wanted it to do.

Thanks!!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!