Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search string modification

Stopplis
Explorer
‎07-01-2024 12:50 AM

 

Hello,

 

I have a dashboard with checkbox and input field.

If you choose the group and type 'something' into to the text input the search is looking for category="something"

If you choose the Any field the search is looking for "something".

I want to set that if I choose the Any field the search does not add this tag: "", only search for something.

But of course remain the tag with other checkbox selection, like category="something".

 

The main goal would be I'd like to free to use the Any field option.

So now if I type e.g. something OR anything, the search does not understand correctly because it looks like "something OR anything", so it detect like one variable. So I like to see something OR anything.

 

Could you please help to modify my dashboard?

 

 

<form version="1.1" theme="light">
  <label>Multiselect Text</label>
  <init>
    <set token="toktext">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokcheck">
      <label>Field</label>
      <choice value="Any field">Any field</choice>
      <choice value="category">Group</choice>
      <choice value="severity">Severity</choice>
      <default>category</default>
      <valueSuffix>=REPLACE</valueSuffix>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <change>
        <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval>
        <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval>
        <eval token="tokfilter">replace($tokcheck$,"REPLACE","\"".$toktext$."\"")</eval>
      </change>
    </input>
    <input type="text" token="toktext">
      <label>Value</label>
      <default>*</default>
      <change>
        <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>$tokfilter$</title>
        <search>
          <query>index=* $tokfilter$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

 

 

Thank you very much in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-01-2024 04:24 AM

OK I misunderstood your new requirement

<form version="1.1" theme="light">
  <label>Multiselect Text</label>
  <init>
    <set token="toktext">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokcheck">
      <label>Field</label>
      <choice value="Any field">Any field</choice>
      <choice value="category">Group</choice>
      <choice value="severity">Severity</choice>
      <default>category</default>
      <valueSuffix>=REPLACE</valueSuffix>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <change>
        <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval>
        <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval>
        <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval>
      </change>
    </input>
    <input type="text" token="toktext">
      <label>Value</label>
      <default>*</default>
      <change>
        <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>$tokfilter$</title>
        <search>
          <query>index=* $tokfilter$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-01-2024 01:33 AM

Try something like this

<form version="1.1" theme="light">
  <label>Multiselect Text</label>
  <init>
    <set token="toktext">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokcheck">
      <label>Field</label>
      <choice value="Any field">Any field</choice>
      <choice value="category">Group</choice>
      <choice value="severity">Severity</choice>
      <default>category</default>
      <valueSuffix>=REPLACE</valueSuffix>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <change>
        <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval>
        <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval>
        <eval token="tokfilter">if($form.tokcheck$!="Any field" OR $toktext$!="*",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),null())</eval>
      </change>
    </input>
    <input type="text" token="toktext">
      <label>Value</label>
      <default>*</default>
      <change>
        <eval token="tokfilter">if($form.tokcheck$!="Any field" OR $toktext$!="*",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),null())</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>$tokfilter$</title>
        <search>
          <query>index=* $tokfilter$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

Stopplis
Explorer
‎07-01-2024 02:02 AM

Unfortunately I can see the same: "something" instead of something.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-01-2024 04:24 AM

OK I misunderstood your new requirement

<form version="1.1" theme="light">
  <label>Multiselect Text</label>
  <init>
    <set token="toktext">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokcheck">
      <label>Field</label>
      <choice value="Any field">Any field</choice>
      <choice value="category">Group</choice>
      <choice value="severity">Severity</choice>
      <default>category</default>
      <valueSuffix>=REPLACE</valueSuffix>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <change>
        <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval>
        <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval>
        <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval>
      </change>
    </input>
    <input type="text" token="toktext">
      <label>Value</label>
      <default>*</default>
      <change>
        <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>$tokfilter$</title>
        <search>
          <query>index=* $tokfilter$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...