Dashboards & Visualizations

Using Radio Buttons in a drilldown

twistedsixty4
Path Finder

hey all,
so what im trying to do is use a radial group to change the search in a drilldown by having each radio button specify a different search, but im not sure how to format the parameters to do this. can anyone help?

<module name="RadioButtonSearch">    
<param name="label">Sort by</param>   

???



By Host

(index=windows_security EventCode=4624) OR (index=unix OR
index=unix_secure pam_vas: succeeded)
OR (host="csacs000*" CSCOacs_Passed_Authentications) | top
20 host



By User

(index=windows_security EventCode=4624) OR (index=unix OR
index=unix_secure pam_vas: succeeded)
OR (host="csacs000*" CSCOacs_Passed_Authentications) | top
20 user


1 Solution

sideview
SplunkTrust
SplunkTrust

The RadioButtonSearch module can only create 'addterm' intentions, and that means the values of your radio buttons can each only be single searchterms like "foo" or field values like someField="someValue".

With core Splunk you're probably better off using the "StaticRadio" module, which works a lot like the "StaticSelect" module. The bad news is that you'll have to get used to using the ConvertToIntention module because you'll need it to turn the simple key from StaticRadio into a "stringreplace" intention. (To explain: RadioButtonSearch creates the intention automatically, but again it can only create 'addterm' intentions. StaticRadio doesn't create the intention, only creating a simple key, and this is why you need ConvertToIntention to turn that key value into an "intention". confused?)

Making it harder is the fact that the Dashboard Examples app doesn't contain any working examples for either module. You can find an example of the StaticSelect module though, and between that and between the few "stringreplace" intention examples in there, and the StaticRadio.conf file, it's possible to figure it out.

If you're using Sideview Utils 2.X, you'll have an easier time because you can use the Radio module, and you won't need an intention nor a ConvertToIntention module. Sideview Utils contains its own documentation and working examples for its modules, including for the Radio module. download the app for free ( http://sideviewapps.com/apps/sideview-utils ), and once its installed, use the app navigation to go to "Module Documentation > Form Search Modules > The Radio Module".

View solution in original post

0 Karma

twistedsixty4
Path Finder

So what I ended up doing was using SideviewUtils to do a pulldown and alter the search directly.
here's my code if it will end up helping anyone.

     <module name="Pulldown">
       <param name="staticFieldsToDisplay">
         <list>
         <param name="label">Host</param>
         <param name="value">host</param>
         <param name="selected">true</param>
       </list>
       <list>
         <param name="label">User</param>
         <param name="value">user</param>
       </list>
     </param>
     <param name="name">selectedSort</param>
     <param name="label">Grouping</param>
     <module name="Search">
       <param name="search">(index=windows_security EventCode=4624) OR (index=unix OR index=unix_secure pam_vas: succeeded) OR (host="csacs000*" CSCOacs_Passed_Authentications) | top $selectedSort$ | fields - percent </param>
0 Karma

sideview
SplunkTrust
SplunkTrust

The RadioButtonSearch module can only create 'addterm' intentions, and that means the values of your radio buttons can each only be single searchterms like "foo" or field values like someField="someValue".

With core Splunk you're probably better off using the "StaticRadio" module, which works a lot like the "StaticSelect" module. The bad news is that you'll have to get used to using the ConvertToIntention module because you'll need it to turn the simple key from StaticRadio into a "stringreplace" intention. (To explain: RadioButtonSearch creates the intention automatically, but again it can only create 'addterm' intentions. StaticRadio doesn't create the intention, only creating a simple key, and this is why you need ConvertToIntention to turn that key value into an "intention". confused?)

Making it harder is the fact that the Dashboard Examples app doesn't contain any working examples for either module. You can find an example of the StaticSelect module though, and between that and between the few "stringreplace" intention examples in there, and the StaticRadio.conf file, it's possible to figure it out.

If you're using Sideview Utils 2.X, you'll have an easier time because you can use the Radio module, and you won't need an intention nor a ConvertToIntention module. Sideview Utils contains its own documentation and working examples for its modules, including for the Radio module. download the app for free ( http://sideviewapps.com/apps/sideview-utils ), and once its installed, use the app navigation to go to "Module Documentation > Form Search Modules > The Radio Module".

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...