Dashboards & Visualizations

Unchecked Checkbox search not working

jfrieling_splun
Splunk Employee
Splunk Employee

when the check box is checked i want to use only results for which a field exists.

to that end i have the following settings in the UI:

Token Name: token1
Token Value Prefix: | search field=
Static Options: Name=IncludeField Value=*

my search is inputlookup mylookup.csv $token1$

when the checkbox is checked, it works fine as i assume | search field=* is included in the search

when the checkbox is unchecked, the panel says "search is waiting for input"

Am i wrong in assuming that an unchecked checkbox means the token1 is empty and the search is run as is? Why isn't this working for me?

Tags (1)
0 Karma

niketn
Legend

@jfrieling since you have single static value in the check box, you can use Check box <change> event handler to set the token for filter. Following is a run anywhere example which uses change event handler instead of using Token Prefix and sets the token to empty string in case Check box is unchecked!

<form>
  <label>Check Box For Token</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="token1">
      <label></label>
      <choice value="*">IncludeField</choice>
      <change>
        <condition label="IncludeField">
          <set token="tokenFilter">| search field= *</set>
        </condition>
        <condition>
          <set token="tokenFilter"> </set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>| inputlookup mylookup.csv $tokenFilter$</title>
      <search>
        <query>| inputlookup mylookup.csv $tokenFilter$</query>
      </search>
    </panel>
  </row>
</form>

PS: For demo of search string being executed I have printed the query in panel

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DEAD_BEEF
Builder

Works in 7.0.3, thanks @niketnilay

0 Karma

woodcock
Esteemed Legend

I just tried this and it does not work. Does it really work for you @niketnilay? I am on v6.5.3.

0 Karma

Shan
Builder

@jfrieling [Splunk] ,

I dont see anything wrong, in what your doing .
That is the how check box works .. If your not checking any option it will show message as "search is waiting for input". You can assign IncludeField as Default Value. So every time while dashboard loaded. It will load with the default value IncludeField .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

When a checkbox is unchecked the associated token is undefined. Searches will not run with undefined tokens.
If you can assigned the unchecked box to "*" or " " then the search should work.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...