hey all,
so what im trying to do is use a radial group to change the search in a drilldown by having each radio button specify a different search, but im not sure how to format the parameters to do this. can anyone help?
<module name="RadioButtonSearch"> <param name="label">Sort by</param>
The RadioButtonSearch module can only create 'addterm' intentions, and that means the values of your radio buttons can each only be single searchterms like "foo" or field values like someField="someValue".
With core Splunk you're probably better off using the "StaticRadio" module, which works a lot like the "StaticSelect" module. The bad news is that you'll have to get used to using the ConvertToIntention module because you'll need it to turn the simple key from StaticRadio into a "stringreplace" intention. (To explain: RadioButtonSearch creates the intention automatically, but again it can only create 'addterm' intentions. StaticRadio doesn't create the intention, only creating a simple key, and this is why you need ConvertToIntention to turn that key value into an "intention". confused?)
Making it harder is the fact that the Dashboard Examples app doesn't contain any working examples for either module. You can find an example of the StaticSelect module though, and between that and between the few "stringreplace" intention examples in there, and the StaticRadio.conf file, it's possible to figure it out.
If you're using Sideview Utils 2.X, you'll have an easier time because you can use the Radio module, and you won't need an intention nor a ConvertToIntention module. Sideview Utils contains its own documentation and working examples for its modules, including for the Radio module. download the app for free ( http://sideviewapps.com/apps/sideview-utils ), and once its installed, use the app navigation to go to "Module Documentation > Form Search Modules > The Radio Module".
So what I ended up doing was using SideviewUtils to do a pulldown and alter the search directly.
here's my code if it will end up helping anyone.
<module name="Pulldown">
<param name="staticFieldsToDisplay">
<list>
<param name="label">Host</param>
<param name="value">host</param>
<param name="selected">true</param>
</list>
<list>
<param name="label">User</param>
<param name="value">user</param>
</list>
</param>
<param name="name">selectedSort</param>
<param name="label">Grouping</param>
<module name="Search">
<param name="search">(index=windows_security EventCode=4624) OR (index=unix OR index=unix_secure pam_vas: succeeded) OR (host="csacs000*" CSCOacs_Passed_Authentications) | top $selectedSort$ | fields - percent </param>
The RadioButtonSearch module can only create 'addterm' intentions, and that means the values of your radio buttons can each only be single searchterms like "foo" or field values like someField="someValue".
With core Splunk you're probably better off using the "StaticRadio" module, which works a lot like the "StaticSelect" module. The bad news is that you'll have to get used to using the ConvertToIntention module because you'll need it to turn the simple key from StaticRadio into a "stringreplace" intention. (To explain: RadioButtonSearch creates the intention automatically, but again it can only create 'addterm' intentions. StaticRadio doesn't create the intention, only creating a simple key, and this is why you need ConvertToIntention to turn that key value into an "intention". confused?)
Making it harder is the fact that the Dashboard Examples app doesn't contain any working examples for either module. You can find an example of the StaticSelect module though, and between that and between the few "stringreplace" intention examples in there, and the StaticRadio.conf file, it's possible to figure it out.
If you're using Sideview Utils 2.X, you'll have an easier time because you can use the Radio module, and you won't need an intention nor a ConvertToIntention module. Sideview Utils contains its own documentation and working examples for its modules, including for the Radio module. download the app for free ( http://sideviewapps.com/apps/sideview-utils ), and once its installed, use the app navigation to go to "Module Documentation > Form Search Modules > The Radio Module".