Splunk Enterprise Security

Radiobutton issue: have to reselect it every time to be able to resubmit the search

woodentree
Communicator

Hello,

We'd like to provide a basic dashboard to our analysts to help them to search the information in an asset lookup based on its name, IP or Mac addresses. By default we'd like to use a wildcard with the text input (in case of multiple values in the field), but we'd like to leave an option to suppress the wildcard as well. For this purpose we use a radiobutton. Here is our dashboard:

<form>
<label>Asset Info</label>
<fieldset submitButton="true" autoRun="false">
  <input type="text" token="input">
    <label>Name, IP or Mac</label>
      <default></default>
    </input>
    <input type="radio" token="field1" searchWhenChanged="true">
      <label>Exact Value</label>
      <choice value="Yes">Yes</choice>
      <choice value="No">No</choice>
      <change>
        <condition value="No">
          <set token="myseaerch">| inputlookup assets_info.csv
    | search name=*$input$* OR ip=*$input$* OR mac=*$input$*
    | table name, ip, mac, zone, classification, status, os, serial_number</set>
        </condition>
        <condition value="Yes">
          <set token="myseaerch">| inputlookup assets_info.csv
    | search name=$input$ OR ip=$input$ OR mac=$input$
    | table name, ip, mac, zone, classification, status, os, serial_number</set>
        </condition>
      </change>
      <initialValue>No</initialValue>
      <default>No</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Asset Info</title>
        <search>
          <query>$myseaerch$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Unfortunately, for some reason we need to reselect a radiobutton every time we want to resubmit the search. I mean, we can't just leave it in "No" position and resubmit a search with a new text input, but have to switch to "Yes" and then back to "No" in order to make it work.

Do you have any idea what the issue is cased by and how it could be fixed?

Thanks for the help.

0 Karma
1 Solution

nickhills
Ultra Champion

Thats because you are using 'sets' based on 'conditions', when on load neither is set.

Another way to achieve the same results without conditions:

<form>
  <label>Asset Info</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="input">
      <label>Name, IP or Mac</label>
      <default></default>
    </input>
    <input type="radio" token="wildcard" searchWhenChanged="true">
      <label>Exact Value</label>
      <choice value="*">Yes</choice>
      <choice value="">No</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Asset Info</title>
        <search>
          <query>| inputlookup assets_info.csv
     | search name=$wildcard$$input$$wildcard$ OR mac=$wildcard$$input$$wildcard$
     | table name, ip, mac, zone, classification, status, os, serial_number</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

If you want to keep your condition approach, you can set the radio button to a value on load:

<init>
     <set token="field1">Yes</set>
 </init>
If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Thats because you are using 'sets' based on 'conditions', when on load neither is set.

Another way to achieve the same results without conditions:

<form>
  <label>Asset Info</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="input">
      <label>Name, IP or Mac</label>
      <default></default>
    </input>
    <input type="radio" token="wildcard" searchWhenChanged="true">
      <label>Exact Value</label>
      <choice value="*">Yes</choice>
      <choice value="">No</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Asset Info</title>
        <search>
          <query>| inputlookup assets_info.csv
     | search name=$wildcard$$input$$wildcard$ OR mac=$wildcard$$input$$wildcard$
     | table name, ip, mac, zone, classification, status, os, serial_number</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
If my comment helps, please give it a thumbs up!

woodentree
Communicator

Hi @nickhillscpl ,

Thanks for the help! It's definitely a better way to execute the search.

I have just another small issue: if I leave <default>*</default> line, it becomes impossible to select radiobutton values (between "Yes" and "No"). At the same time with <default></default> it works totally fine.

0 Karma

nickhills
Ultra Champion

Yes, thats a bit odd. I can't really explain that.
Leave it out - it wont make any difference if you use it as a dashboard.
If ever you use the dashboard as a drilldown target, you will just have to remember to define its value as a parameter

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...