- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to replace the value of a field by a toke...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I have a field call status, and I have a drop-down with values: open, new, in progress.......
What i need is:
1) When the user chooses a value from the drop-down, the status on the dashboard changes to that value
2) Is it possible to keep track of the changing of the status? How?
This is what I've tried:
<form>
<label>CHANGE STATUS</label>
<fieldset submitButton="false">
<input type="dropdown" token="status_token" searchWhenChanged="true">
<label>Change status</label>
<choice value="new">new</choice>
<default>new</default>
<choice value="Open">Open</choice>
<choice value="Closed">Closed</choice>
<choice value="progress">in progress</choice>
</input>
</fieldset>
<row>
<panel>
<title> </title>
<table>
<title>status is $status_token$</title>
<search>
<query>index=_* |eval status="change this status"|eval status=if($status_token$!="change this status",$status_token$ ,"change this status")| table host source status</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if i understand your question, if you want the search to include user selection, since you have status as a token
How about adding status="$status_token$" to your search?
Example let's say user selected status = in progress from the drop-down.
index=_* status="$status_token$"|...... would read
index=_* status="in progress"|....
Hope this helps.
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if i understand your question, if you want the search to include user selection, since you have status as a token
How about adding status="$status_token$" to your search?
Example let's say user selected status = in progress from the drop-down.
index=_* status="$status_token$"|...... would read
index=_* status="in progress"|....
Hope this helps.
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THanks Raghav2384
very much I try the quote on the token an it is working: status="$status_token$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please feel free to accept it as an answer 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I"m not seeing the link to accept but I voted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there you go 🙂
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
