Splunk Search

How to avoid "search is waiting for input...", even if a user does not include a value in a text input field?

shrirangphadke
Path Finder

Hi,

Sorry if my question is repeated or too naive.

I have a text input field accepting "Module name".
It works perfectly when value is given to that field.
But if that field is kept blank, I get message on graph saying "Search is waiting for input..."

I would like to achieve following:
1. If user enters value, it should be used for the search
2. If user does not include any value, I don't want to include that in search and the search should go ahead and run without that value.

Tags (3)
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi shrirangphadke,

take this run everywhere dashboard as example:

<form>
  <label>run search based on button</label>
  <fieldset submitButton="false">
    <input type="text" token="field1">
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Search being run: index=_internal $$field1$$</title>
      <event>
        <search>
          <query>index=_internal $field1$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

The trick is to use a default option which is here a * so it will search be default for sourcetype="*" or what ever is entered by the user.

Hope this helps ...

cheers, MuS

View solution in original post

bcatwork
Path Finder

I encountered this issue today. Far too late to help you, but perhaps someone else will stumble upon this topic..

The answer is to explicitly state an empty default in the source code. You do not seem to be able to apply and empty default from the edit UI.

My use case was with an empty text input. Without an empty default, the reliant searches will hold on 'waiting for input'..

    <input type="text" token="string" searchWhenChanged="false">
      <label>Exclude String:</label>
      <default></default>

Adding the empty default did the trick. Whenever I make changes to this input via the UI, the default is overwritten however. FYI.

jboselly
Engager

Great trick!

Just wanted to note that it appears if you use "Token Value Prefix" and/or "Token Value Suffix" this will not work, it makes is so the input value can never be NULL.

So if you had a query like:
index=syslog $input$

With:
Token Value Prefix = A
Token Value Suffix = B

You'd end up with:
index=syslog AB

"Token Prefix", "Token Suffix" and "Delimiter" work fine.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi shrirangphadke,

take this run everywhere dashboard as example:

<form>
  <label>run search based on button</label>
  <fieldset submitButton="false">
    <input type="text" token="field1">
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Search being run: index=_internal $$field1$$</title>
      <event>
        <search>
          <query>index=_internal $field1$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

The trick is to use a default option which is here a * so it will search be default for sourcetype="*" or what ever is entered by the user.

Hope this helps ...

cheers, MuS

gerrytan
New Member

The problem with this approach is by specifying fieldname="*" the field with fieldname has to exist, it will exclude log entry that does not contain fieldname.

0 Karma

itishree
Explorer

i have tried but still facing same issue

0 Karma

itishree
Explorer

still facing same issue

0 Karma

shrirangphadke
Path Finder

Hi @Mus,

Thank you for answer!
Yes right. I have already implemented it using default value as * (asterix)
But that includes * (asterix) in the text input field which I was trying to avoid. Thus I wanted to go ahead with the search if user does not enter any value by excluding that field input.
Anyways thanks for the answer

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...