- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a search box that when text is enter...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am trying to create a searchbox that when text is entered it appends what is searched into each panel on the dashboard.
For example I want to be able to type in a username and have every panel change it's results to uniquely show for the username that was entered.
Please help, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a text input, set the token name for instance to user and set the default and initial values to *.
In each of your dashboard search queries, add something like: | search user=$user$. Of course highly dependent on the exact fieldname that holds the username in your case, but the concept is the same.
There is one small caveat with doing this: it will prevent results without a user value from ever showing up. If you want to show also results without a username when no search is entered, then it gets a bit more complicated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bryceweb22,
You can find an example here in the documentation on how to configure a text input :
https://docs.splunk.com/Documentation/Splunk/latest/Viz/FormEditor#Text_input
An example of input and how to use it here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/Buildandeditforms#Basic_form_example
Here's a tested simple example that takes a value from the text field and shows it in a table, you can copy paste this and use it:
<form>
<label>My New Dashboard</label>
<fieldset submitButton="false">
<input type="text" token="Text_Token">
<label>Text search</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="time" token="field2">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Testing token</title>
<search>
<query>| makeresults | eval A="$Text_Token$"</query>
<earliest>$field2.earliest$</earliest>
<latest>$field2.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Let me know if that helps. In the example above the time applied is always from the time picker, so you can modify that from there if needed.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a text input, set the token name for instance to user and set the default and initial values to *.
In each of your dashboard search queries, add something like: | search user=$user$. Of course highly dependent on the exact fieldname that holds the username in your case, but the concept is the same.
There is one small caveat with doing this: it will prevent results without a user value from ever showing up. If you want to show also results without a username when no search is entered, then it gets a bit more complicated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have done all this and I just get no results found.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then please share your dashboard xml (or at least the relevant parts of it).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<input type="time" token="TimeRangePkr" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="user" searchWhenChanged="true">
<label>Enter ID</label>
index=* sourcetype=* host=*
| rex ".*\s(?P<Time_Taken>\d+)$$$$"
| stats count by Time_Taken
| sort 20 -Time_Taken
| search user=$user$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After | stats count by Time_Taken you don't have a field called user. So in your case, add the user="$user$" to the first line of your search, rather than in a separate search command at the bottom.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gotcha, well it still isn't working I think because when the username is being passed into $user$ it has user= before it and I just need the username to show up not the user= before it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it to work, really appreciate the help and the reasonable response times!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also how far back does this search?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
