Splunk Search

How to create a search box that when text is entered it appends what is searched into each panel on the dashboard?

bryceweb22
Path Finder

So I am trying to create a searchbox that when text is entered it appends what is searched into each panel on the dashboard.

For example I want to be able to type in a username and have every panel change it's results to uniquely show for the username that was entered.

Please help, thank you.

0 Karma
1 Solution

FrankVl
Ultra Champion

Add a text input, set the token name for instance to user and set the default and initial values to *.

In each of your dashboard search queries, add something like: | search user=$user$. Of course highly dependent on the exact fieldname that holds the username in your case, but the concept is the same.

There is one small caveat with doing this: it will prevent results without a user value from ever showing up. If you want to show also results without a username when no search is entered, then it gets a bit more complicated.

View solution in original post

DavidHourani
Super Champion

Hi @bryceweb22,

You can find an example here in the documentation on how to configure a text input :
https://docs.splunk.com/Documentation/Splunk/latest/Viz/FormEditor#Text_input

An example of input and how to use it here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/Buildandeditforms#Basic_form_example

Here's a tested simple example that takes a value from the text field and shows it in a table, you can copy paste this and use it:

   <form>
      <label>My New Dashboard</label>
      <fieldset submitButton="false">
        <input type="text" token="Text_Token">
          <label>Text search</label>
          <default>*</default>
          <initialValue>*</initialValue>
        </input>
        <input type="time" token="field2">
          <label></label>
          <default>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </default>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <title>Testing token</title>
            <search>
              <query>| makeresults | eval A="$Text_Token$"</query>
              <earliest>$field2.earliest$</earliest>
              <latest>$field2.latest$</latest>
            </search>
            <option name="drilldown">none</option>
            <option name="refresh.display">progressbar</option>
          </table>
        </panel>
      </row>
    </form>

Let me know if that helps. In the example above the time applied is always from the time picker, so you can modify that from there if needed.

Cheers,
David

0 Karma

FrankVl
Ultra Champion

Add a text input, set the token name for instance to user and set the default and initial values to *.

In each of your dashboard search queries, add something like: | search user=$user$. Of course highly dependent on the exact fieldname that holds the username in your case, but the concept is the same.

There is one small caveat with doing this: it will prevent results without a user value from ever showing up. If you want to show also results without a username when no search is entered, then it gets a bit more complicated.

bryceweb22
Path Finder

I have done all this and I just get no results found.

0 Karma

FrankVl
Ultra Champion

Then please share your dashboard xml (or at least the relevant parts of it).

0 Karma

bryceweb22
Path Finder
<input type="time" token="TimeRangePkr" searchWhenChanged="true">
  <label>Time Range</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="text" token="user" searchWhenChanged="true">
  <label>Enter ID</label>

index=* sourcetype=* host=*
| rex ".*\s(?P<Time_Taken>\d+)$$$$"
| stats count by Time_Taken
| sort 20 -Time_Taken
| search user=$user$

0 Karma

FrankVl
Ultra Champion

After | stats count by Time_Taken you don't have a field called user. So in your case, add the user="$user$" to the first line of your search, rather than in a separate search command at the bottom.

0 Karma

bryceweb22
Path Finder

gotcha, well it still isn't working I think because when the username is being passed into $user$ it has user= before it and I just need the username to show up not the user= before it.

0 Karma

bryceweb22
Path Finder

Got it to work, really appreciate the help and the reasonable response times!

0 Karma

bryceweb22
Path Finder

Also how far back does this search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...