Splunk Search

How to create a search box that when text is entered it appends what is searched into each panel on the dashboard?

Path Finder

So I am trying to create a searchbox that when text is entered it appends what is searched into each panel on the dashboard.

For example I want to be able to type in a username and have every panel change it's results to uniquely show for the username that was entered.

Please help, thank you.

0 Karma
1 Solution

Ultra Champion

Add a text input, set the token name for instance to user and set the default and initial values to *.

In each of your dashboard search queries, add something like: | search user=$user$. Of course highly dependent on the exact fieldname that holds the username in your case, but the concept is the same.

There is one small caveat with doing this: it will prevent results without a user value from ever showing up. If you want to show also results without a username when no search is entered, then it gets a bit more complicated.

View solution in original post

SplunkTrust
SplunkTrust

Hi @bryceweb22,

You can find an example here in the documentation on how to configure a text input :
https://docs.splunk.com/Documentation/Splunk/latest/Viz/FormEditor#Text_input

An example of input and how to use it here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/Buildandeditforms#Basic_form_example

Here's a tested simple example that takes a value from the text field and shows it in a table, you can copy paste this and use it:

   <form>
      <label>My New Dashboard</label>
      <fieldset submitButton="false">
        <input type="text" token="Text_Token">
          <label>Text search</label>
          <default>*</default>
          <initialValue>*</initialValue>
        </input>
        <input type="time" token="field2">
          <label></label>
          <default>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </default>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <title>Testing token</title>
            <search>
              <query>| makeresults | eval A="$Text_Token$"</query>
              <earliest>$field2.earliest$</earliest>
              <latest>$field2.latest$</latest>
            </search>
            <option name="drilldown">none</option>
            <option name="refresh.display">progressbar</option>
          </table>
        </panel>
      </row>
    </form>

Let me know if that helps. In the example above the time applied is always from the time picker, so you can modify that from there if needed.

Cheers,
David

0 Karma

Ultra Champion

Add a text input, set the token name for instance to user and set the default and initial values to *.

In each of your dashboard search queries, add something like: | search user=$user$. Of course highly dependent on the exact fieldname that holds the username in your case, but the concept is the same.

There is one small caveat with doing this: it will prevent results without a user value from ever showing up. If you want to show also results without a username when no search is entered, then it gets a bit more complicated.

View solution in original post

Path Finder

I have done all this and I just get no results found.

0 Karma

Ultra Champion

Then please share your dashboard xml (or at least the relevant parts of it).

0 Karma

Path Finder
<input type="time" token="TimeRangePkr" searchWhenChanged="true">
  <label>Time Range</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="text" token="user" searchWhenChanged="true">
  <label>Enter ID</label>

index=* sourcetype=* host=*
| rex ".*\s(?P<TimeTaken>\d+)$$$$"
| stats count by Time
Taken
| sort 20 -Time_Taken
| search user=$user$

0 Karma

Ultra Champion

After | stats count by Time_Taken you don't have a field called user. So in your case, add the user="$user$" to the first line of your search, rather than in a separate search command at the bottom.

0 Karma

Path Finder

gotcha, well it still isn't working I think because when the username is being passed into $user$ it has user= before it and I just need the username to show up not the user= before it.

0 Karma

Path Finder

Got it to work, really appreciate the help and the reasonable response times!

0 Karma

Path Finder

Also how far back does this search?

0 Karma