Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How To Add a Search Box in Dashboard/Form?

skoelpin
SplunkTrust
SplunkTrust
‎07-20-2015 06:03 PM

I currently have a dashboard which shows the IP Address | Web Request | Browser | JSession Count I want to create a search box where the user can enter the IP Address into and Splunk will filter the results in the table based on that IP Address and show the Web Request | Browser | JSession Count

So far I currently have 3 panels at the top of my dashboard, one is a drop down for the time frame, the next one is a submit button, then a text box where the user can enter the IP Address. I have a text box, but when I hit the submit button, nothing happens. I suspect that it's not tied to the query properly so it doesn't know what to search. Can anyone help me fix this so I'm able to filter through the table displayed?

Here's my xml that I have so far 

<form>
  <label>Click Fraud</label>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
        <search>
          <query>index=access OR index=main | transaction RTG_JSession | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename  count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"</query>
          <earliest></earliest>
          <latest></latest>
        </search>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=access OR index=main | transaction RTG_JSession | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename  count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎07-20-2015 06:19 PM

Hi skoelpin,

add a text field like this:

<input type="text" token="ip">
  <label>IP</label>
  <default>*</default>
  <prefix>'IP Address'="</prefix>
  <suffix>"</suffix>
</input>

and use the $ip$ token in your search like this:

<table>
  <search>
    <query>
    index=access OR index=main 
   | transaction RTG_JSession 
   | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain 
   | sort -count 
   | rename RTG_IPmain AS "IP Address" count AS "JSession Count"  "values(RTG_Browser)" AS "Browser" "values(RTG_WebRequest)" AS "Web Request" 
   | serach $ip$ 
   | table 'Web Request' Browser 'JSession Count'</query>
     <earliest>-15m</earliest>
     <latest>now</latest>
  </search>
</table>

And just a tip: don't use field names which contain a space 😉

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎07-20-2015 06:19 PM

Hi skoelpin,

add a text field like this:

<input type="text" token="ip">
  <label>IP</label>
  <default>*</default>
  <prefix>'IP Address'="</prefix>
  <suffix>"</suffix>
</input>

and use the $ip$ token in your search like this:

<table>
  <search>
    <query>
    index=access OR index=main 
   | transaction RTG_JSession 
   | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain 
   | sort -count 
   | rename RTG_IPmain AS "IP Address" count AS "JSession Count"  "values(RTG_Browser)" AS "Browser" "values(RTG_WebRequest)" AS "Web Request" 
   | serach $ip$ 
   | table 'Web Request' Browser 'JSession Count'</query>
     <earliest>-15m</earliest>
     <latest>now</latest>
  </search>
</table>

And just a tip: don't use field names which contain a space 😉

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-20-2015 07:13 PM

Thanks for the reply MuS.

I tried putting in what you recomended but it's not returning any results. Can you pick out what I'm doing wrong here?

<form>
   <label>Click Fraud</label>
   <fieldset autoRun="true" submitButton="true">
     <input type="text" token="ip">
   <label>IP</label>
   <default>*</default>
   <prefix>'IP Address'="</prefix>
   <suffix>"</suffix>
 </input>
   </fieldset>
   <row>
     <panel>
       <table>
   <search>
     <query>
     index=access OR index=main 
    | transaction RTG_JSession 
    | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain 
    | sort -count 
    | rename RTG_IPmain AS "IP Address" count AS "JSession Count"  "values(RTG_Browser)" AS "Browser" "values(RTG_WebRequest)" AS "Web Request" 
    | search $ip$ 
    | table 'Web Request' Browser 'JSession Count'</query>
      <earliest>-15m</earliest>
      <latest>now</latest>
   </search>
 </table>
     </panel>
   </row>
 </form>
0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-20-2015 07:16 PM

first run the search command in the search bar and replace $ip$ with 'IP Address'="*" - do you get anything?

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-21-2015 06:08 AM

Yes I added a dashboard panel of the query I made previously which displays a table of IP Address | JSession Count | Browser | Web Request.. I have about 40 pages of results.. Now when I enter the IP Address (which is in the row 1) in the text box and hit the submit button, nothing happens. It appears like the search button doesn't have anything to search

** When I enter in an IP Address from the table, I see it's getting passed in the URL. So it's being read, but none of the results in the table are getting filtered (nothing changes in the table)

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-21-2015 09:32 AM

I figured it out! I was using the alias "IP Address" instead of the extracted field RTG_IPmain.. The quotes also messed it up as it was calling it like this "RTG_IPmain=12.23.234.545" instead of this RTG_IPmain=12.23.234.545

Here's my source code if anyone else needs it in the future 

<form>
  <label>Click Fraud</label>
  <fieldset autoRun="true" submitButton="true">
    <input type="text" token="ip">
      <label>Enter IP Address Here</label>
      <default>204.44.87.88</default>
      <prefix>RTG_IPmain=</prefix>
      <suffix></suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=access OR index=main | search $ip$ | transaction RTG_JSession  | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename  count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"  </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-20-2015 06:18 PM

You need to specify a token for your time field and then under your search replace -15m and now with $your_token.earliest$and $your_token.latest$.

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-21-2015 07:13 AM

I changed the source code up a bit and included the token in my input tag and referenced it in my search.. No results are coming back, but if I hard code the IP in the search then it will successfully filter the results in my table. What would you recommend I do so I can successfully enter an IP in the search box and have it filter the values in the table?

<form>
  <label>Click Fraud</label>
  <fieldset autoRun="true" submitButton="true">
    <input type="text" token="ip">
      <label>IP</label>
      <default>133.20.33.20</default>
      <prefix>'IP Address'="</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=access OR index=main | transaction RTG_JSession | where RTG_IPmain="$ip$" | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename  count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...