Hi,
I have a dashboard. It has 3 text inputs.
Search by IP
Text Input 1
Search by NETBIOS
Text Input 2
Search by DNS
Text Input 3
Submit button
I have a statistical table panel below them that is running the query:
Base search/Report reference
| search IP="$ip$" OR NETBIOS="$netbios$" OR DNS="$dns$"
| stats dc(IP) AS Total BY IP, NETBIOS, DNS
When I have IP inserted, Submit returns IP, NETBIOS and DNS.
When I have different NETBIOS inserted, search returns NETBIOS + IP (both different, one result for IP and one for NETBIOS. Likewise if I have all three different values, I will have three results)
What I need:
- Once any value is inserted, I want the other two to reset and become blank so search can use only one value at a time. I need to use either of the three values from text box inputs above and have only one result from one of either of three values.
For example, if I insert an IP 00.00.00.00 and hit Submit, I get results for IP since other two values are left blank. But when I insert NETBIOS e.g. SAMPLENETBIOS, I want IP text box to become reset/blank and search result should return results for NETBIOS not IP. Likewise for DNS.
Or can I have one text box where any one of three values can be inserted to get desired results? How?
Thanks in-advance
I am on v6.6.5 and +
You need to create a change
section for each one and inside of this, do a pair of unset
commands for each of the other 2 token names, like this (for the first token):
<unset token="second_token"></unset>
<unset token="form.second_token"></unset>
<unset token="third_token"></unset>
<unset token="form.third_token"></unset>
HI @mbasharat,
Can you please share your code as I am having the same scenerio.
I ended up creating a text box as below with token and referenced the token value in the searches as sampled below.
<input type="text" token="value" searchWhenChanged="false">
<label>Search by IP or NETBIOS or DNS</label>
<default>00.00.00.00</default>
</input>
search/base search for panels as per your use case:
index=SAMPLE sourcetype=SAMPLE2
*| search ip_address="$value$" OR netbios="$value$" OR dns="$value$"
REST OF THE SEARCH
Thanks.
You need to create a change
section for each one and inside of this, do a pair of unset
commands for each of the other 2 token names, like this (for the first token):
<unset token="second_token"></unset>
<unset token="form.second_token"></unset>
<unset token="third_token"></unset>
<unset token="form.third_token"></unset>
Is it also possible to have more than one ORs in panel drilldown as below:
Panel > Drill down > on Cell
Cell value 1=IP
Cell value 2=NETBIOS
Cell value 3=DNS
Drill down > Link to Dashboard
Has three token under Manage Tokens.
form.value ("value" is the token of text box in the destination page) = $row.IP$ OR $row.NETBIOS$ OR $row.DNS$
This OR is not working as well as it is passing all three values separated by commas instead of only the one that is clicked on.
Thanks.
Hey You cannot pass OR in drill down,
instead, you can use the conditional drill down
<option name="drilldown">cell</option>
<drilldown>
<condition field="IP">
<link target="_blank">/app/search/handson_2?form.value=$row.IP$</link>
</condition>
<condition field="NETBIOS">
<link target="_blank">/app/search/handson_2?form.value=$row.NETBIOS$</link>
</condition>
<condition field="DNS">
<link target="_blank">/app/search/handson_2?form.value=$row.DNS$</link>
</condition>
<condition>
<!-- No drilldown for other cell-->
</condition>
</drilldown>
Here you can change the value of fieldname as per your requirements.
In condition tag change field=fieldname
and in link tag just change $row.fieldname$