Remove results from a search using input checkbox.

odonnem1 · ‎08-23-2016

I'm creating a form that searches logs and want to allow the user to remove common log entries from the results view by selecting them using an input checkbox.

For instance if the results contain 'failed to open E:\temp\file1.txt' & 'failed to open E:\temp\file2.txt'
I want to provide a checkbox that the user can select to remove '*failed to open E:\temp\* *'

I don't know what to use as my choice / value in my XML

    <input type="checkbox" token="_commonErrors" searchWhenChanged="true">
      <label>Exclude errors</label>
      <default></default>
      <choice value="??????'">Failed to open</choice>
      <choice value="">Everything</choice>
    </input>

Thanks.

sundareshr · ‎08-23-2016

You may want to consider using multi-select. Try these settings for your multiselect

Token: commonErrors
Token Prefix: (
Token Suffix: )
Token Value Prefix: source="*
Token Value Suffix: *"
Delimiter:  OR

http://docs.splunk.com/Documentation/Splunk/6.4.2/Viz/FormEditor#Multiselect

odonnem1 · ‎08-23-2016

Thanks I will try rewriting my form to use these tokens.

odonnem1 · ‎08-23-2016

I guess the more I research this the more complicated it gets. If I allow multiple selections (check boxes) each with a different value I then need a way to add these to the query using NOT (result1 AND result2).
Does this sound right?