Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

XML: Have a field name change based on a choice from a drop down

replicamask
Explorer
‎07-10-2019 06:59 PM

Hi,

I've been searching online and trying to find an answer for this.

Essentially it's building a dashboard/app page with predefined searches for people to use.

What I am trying to implement is a drop down choice at the beginning to select the search you wish to run. Then after that there is two fields for difference resource id's.
The first field is just an id and will be the same for all searches, user_id will work for this example. Then the second field would need to change depending on the choice of search.

For example:

  1. Select search from dropdown (all user actions from an IP)
    • This would have the first field as user_id and need to have the second field as ip=
  2. Select search from dropdown (all user actions on a certain index)
    • This would have the first field as user_id and need to have the second field as index=

That way when someone opens it up they can select the search they want to run from the drop down, then enter the user_id, and finally enter the last field which would change depending on the search chosen, after they hit submit the entered values would be assigned to their field names and added to the search which will be stored in the drop down

(trimmed down extract of what it looks like atm)

<label>user + ip</label>
<searchTemplate>$searchstring$ user_id=$user_id$ (changable_field_name=user_submitted_value)</searchTemplate>
<fieldset>
  <input type="dropdown" token="searchstring">
    <label>Search</label>
    <choice value='SEARCH STRING WOULD BE INCLUDED HERE ASIDE FROM THE USER_ID AND ADDITIONAL FIELD NAME'>user actions from a specific ip</choice>
    <choice value='SEARCH STRING WOULD BE INCLUDED HERE ASIDE FROM THE USER_ID AND ADDITIONAL FIELD NAME'>user actions on a specific index</choice>

<input type="text" token="user_id">
  <label>user_id</label>
  <default>*</default>
  <prefix>"</prefix>
  <suffix>"</suffix>
</input>

<input type="text" token="ip">
  <label>ip</label>
  <default>*</default>
  <prefix>"</prefix>
  <suffix>"</suffix>
</input>

<input type="text" token="index">
  <label>index</label>
  <default>*</default>
  <prefix>"</prefix>
  <suffix>"</suffix>
</input>

So while I know this will populate the entered user_id from the field into the search string (user_id=$user_id$), I am at a loss of how to have the second field name update from the drop down and then apply into the searchTemplate along with the provided value where it says (changable_field_name=user_submitted_value) above.

Thanks in advance for any help

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...