Dashboards & Visualizations

my input dropdown passes the wrong value to the searchtemplate

RiccardoV
Communicator

Hi, hi have this search template:

index=* sourcetype="$sourcetype$" | ....

the $sourcetype" value is coming from an input dropdown like this:

<input type="dropdown" token="sourcetype" id="sourcetype_input">
    <label>1. Select a sourcetype.</label>
    <choice value="*">All</choice>
    &lt;populatingSearch earliest="$earliest$" latest="$latest$" fieldForLabel="sourcetype" fieldForValue="sourcetype"&gt;| metadata type=sourcetypes index=* | fields sourcetype | sort sourcetype&lt;/populatingSearch&gt;
</input>

If I set as selected value "All" in my dashboard, the search will be:

index=* sourcetype="All" | ....

and not

index=* sourcetype="*" | ....

How can i fix this?

gyslainlatsa
Motivator

hi RiccardoV,
don't put the " ", try like this:

<panel>
    <table>
        <title>----------------------------------</title>
    <search
       <query>
        index=* sourcetype=$sourcetype$ |.........
      </query>
    </search
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
    </table>
 </panel>

or your try this:

<panel>
      <table>
        <title>----------------------------------</title>
        <searchString>  index=* sourcetype=$sourcetype$ |.........</searchString>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
  </panel>
0 Karma

RiccardoV
Communicator

Hi, thanks for your answer. And what if the sourcetype contains a blank space in its name?

index = * sourcetype=foo bar

will does it work anyway?

0 Karma

gyslainlatsa
Motivator

if the sourcetype contains a blank space in its name,
try this for the general case:

index=* sourcetype=$sourcetype$ OR sourcetype="$sourcetype$"|.........
0 Karma

RiccardoV
Communicator

The problem is that to this search arrived the value "All" and not the value *, I don't think that the problem can be related to the " " around $sourcetype$

0 Karma

gyslainlatsa
Motivator

if the sourcetype contains a blank space in its name,
try this for the general case:

 index=* sourcetype=$sourcetype$ OR sourcetype="$sourcetype$"|.........
0 Karma

woodcock
Esteemed Legend

Everything looks pretty much OK but there appears to be an extra ">" in your fieldForValue specification that is unmatched and doesn't make sense. In any case, for the purposes of validating your form, skip the poplulatingSearch stuff and just try this:

<searchString>index = * sourcetype = $sourcetype$</searchString>
0 Karma

RiccardoV
Communicator

Hi, the ">" it's ok I think:

http://pastebin.com/aa8Nqx4h

where should I put the searchString you write down?

0 Karma

woodcock
Esteemed Legend

Start with the most stripped-down XML that you can get to work and then start adding things in. Try starting with this:

<form>
  <label>TEST</label>
  <description>Gregg Woodcock says: Always Test</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="sourcetype">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>All</default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>Test panel</title>
      <searchString>index=* sourcetype=$sourcetype$</searchString>
      <earliestTime>-10d@d</earliestTime>
      <latestTime>now</latestTime>
0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...