I have a dashboard panel with a radio input. If the user choose Selection A (4624), I need to add a field to the search. I've tried using eval with if in the search to add the new field, but it either errors out or never processes. Thanks.
<input type="radio" token="priv_login" searchWhenChanged="true">
<label>Login Status</label>
<choice value="4624">Successful</choice>
<choice value="4625">Failed</choice>
<initialValue>4624</initialValue>
<change>
<condition>
<set token="panellabel">$label$</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<single>
<title>$panellabel$ Privileged Account Logins</title>
<search>
<query>index=con_wineventlog_security src="gord*" (Account_Name="*.SA" OR Account_Name="*.*.WA") EventCode=$priv_login$ | stats count(EventCode)</query>
<earliest>$priv_agg_tok.earliest$</earliest>
<latest>$priv_agg_tok.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>60m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
You can modify you input like this:
<input type="radio" token="priv_login" searchWhenChanged="true">
<label>Login Status</label>
<choice value="4624">Successful</choice>
<choice value="4625">Failed</choice>
<initialValue>4624</initialValue>
<change>
<set token="panellabel">$label$</set>
<condition value="4624">
<set token="additional_search">yoursecondfield=something</set>
</condition>
</change>
</input>
Then you can include $additional_search$
in your search query
I was never able to pass a new field to the query using a separate token. Splunk was always waiting for data input. I solved the issue by using the radio button's statement to add the field (Logon_ID).
<input type="radio" searchWhenChanged="true" token="priv_login_tok">
<label>Login Status</label>
<choice value="4624 Logon_ID!=0x0">Successful</choice>
<choice value="4625">Failed</choice>
<initialValue>4624</initialValue>
You can modify you input like this:
<input type="radio" token="priv_login" searchWhenChanged="true">
<label>Login Status</label>
<choice value="4624">Successful</choice>
<choice value="4625">Failed</choice>
<initialValue>4624</initialValue>
<change>
<set token="panellabel">$label$</set>
<condition value="4624">
<set token="additional_search">yoursecondfield=something</set>
</condition>
</change>
</input>
Then you can include $additional_search$
in your search query
Thank you. This solution works as long, but I need to use "!=" with my new search field. The token is dropping the "!".
This solution somewhat works. When I change values, the new search field doesn't change.
Okay, in that case you need to add a after
I think your comment didn't fully update.
In that case, try using $tokenname|s$
to enable search encoding of token.