Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to reference an item name selected via populatingSearch

jturnervbs
Engager
‎11-03-2015 04:46 AM

I am trying to put the name(s) of a selected item(s) into the 'first' and 'last' parameters of a streamstats evaluation, with no success. Hoping someone can help.

The form query below gathers a list of distinct Adobe products installed and creates a checkbox selection list. My goal is to produce a report showing recent changes of Adobe software versions on computers. As checkboxes go, I'd like to be able to select more than one software product.

I've searched high and low for that magic keyword but have yet to find it.

fyi...The software index data is comprised of domain computer information, including what software is installed.

<form>
  <label>Adobe Software Changes</label>
  <description>Software Changes</description>
  <fieldset autorun="false" submitButton="true">
    <input type="time" searchWhenChanged="true"></input>
    <input type="checkbox" token="AdobeType">
      <label></label>
      <populatingSearch fieldForValue="column" fieldForLabel="column">index="software" sourcetype="software" | stats dc(Adobe*) as Adobe* | transpose</populatingSearch>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix></valuePrefix>
      <valueSuffix>!="*no*"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>index=software sourcetype=software $AdobeType$|streamstats global=f current=t window=2
          last($click.value2$) as Lastc
          first($click.value2$) as Firstc by ComputerName
          |Fields - _raw index _time sourcetype|Fields keepcolorder=t ComputerName UserName Users timestamp</searchTemplate>
        <title>Adobe Products and Versions</title>
        <option name="showPager">true</option>
        <option name="rowNumbers">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jturnervbs
Engager
‎11-03-2015 11:15 AM

I banged out a solution, albeit I had to settle for radio buttons vs checkboxes:

<form>
  <label>Adobe Software Changes</label>
  <description>Software Changes</description>
  <fieldset autorun="true" submitButton="true">
    <input type="time"></input>
    <input type="radio" token="AdobeType" searchWhenChanged="true">
      <label></label>
      <populatingSearch fieldForValue="column" fieldForLabel="column">index="software" sourcetype="software" | stats dc(Adobe*) as Adobe* | transpose</populatingSearch>
      <default>AdobeReaderVersion</default>
      <change>
          <!-- use predefined input tokens to set -->
          <!-- tokens for the selected label and value -->
          <set token="swlabel">$label$</set>
          <set token="swvalue">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>index=software sourcetype=software $swlabel$|streamstats global=f current=t window=2
          last($swlabel$) as Previous
          first($swlabel$) as Current
          by ComputerName
          |where Current != Previous
          |Fields - $swlabel$ _raw index _time sourcetype
          |Fields keepcolorder=t ComputerName UserName Users Current Previous timestamp
          |Sort ComputerName,-timestamp</searchTemplate>
        <title>Adobe Products and Versions</title>
        <option name="showPager">true</option>
        <option name="rowNumbers">true</option>
      </table>
    </panel>
  </row>
</form>

PS Thanks to whomever reformatted my original substituted character code into xml

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jturnervbs
Engager
‎11-03-2015 11:15 AM

I banged out a solution, albeit I had to settle for radio buttons vs checkboxes:

<form>
  <label>Adobe Software Changes</label>
  <description>Software Changes</description>
  <fieldset autorun="true" submitButton="true">
    <input type="time"></input>
    <input type="radio" token="AdobeType" searchWhenChanged="true">
      <label></label>
      <populatingSearch fieldForValue="column" fieldForLabel="column">index="software" sourcetype="software" | stats dc(Adobe*) as Adobe* | transpose</populatingSearch>
      <default>AdobeReaderVersion</default>
      <change>
          <!-- use predefined input tokens to set -->
          <!-- tokens for the selected label and value -->
          <set token="swlabel">$label$</set>
          <set token="swvalue">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>index=software sourcetype=software $swlabel$|streamstats global=f current=t window=2
          last($swlabel$) as Previous
          first($swlabel$) as Current
          by ComputerName
          |where Current != Previous
          |Fields - $swlabel$ _raw index _time sourcetype
          |Fields keepcolorder=t ComputerName UserName Users Current Previous timestamp
          |Sort ComputerName,-timestamp</searchTemplate>
        <title>Adobe Products and Versions</title>
        <option name="showPager">true</option>
        <option name="rowNumbers">true</option>
      </table>
    </panel>
  </row>
</form>

PS Thanks to whomever reformatted my original substituted character code into xml

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-03-2015 06:36 AM

Try escaping the search parser by using another dollar sign, like this:

           last($$click.value2$$) as Lastc
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...