Splunk Search

How to specify a literal asterisk as a conditional value in dashboard

ehowardl3
Path Finder

I'm trying to create a dashboard that displays one dash panel if the user enters "*" into a text input, and display another dash panel if the user enters anything other than an asterisk. Is this possible?

Thanks

Tags (1)
1 Solution

niketn
Legend

@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.

If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.

<form>
  <label>Show Hide Panel based on Text Input</label>
  <fieldset submitButton="false">
    <input type="text" token="tokText" searchWhenChanged="true">
      <label></label>
      <default>*</default>
      <change>
        <condition match="value=&quot;*&quot;">
          <set token="showPanel1">true</set>
        </condition>
        <condition>
          <unset token="showPanel1"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$showPanel1$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel rejects="$showPanel1$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.

If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.

<form>
  <label>Show Hide Panel based on Text Input</label>
  <fieldset submitButton="false">
    <input type="text" token="tokText" searchWhenChanged="true">
      <label></label>
      <default>*</default>
      <change>
        <condition match="value=&quot;*&quot;">
          <set token="showPanel1">true</set>
        </condition>
        <condition>
          <unset token="showPanel1"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$showPanel1$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel rejects="$showPanel1$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ehowardl3
Path Finder

Thanks! The line I was looking for was:

<condition match="value=&quot;*&quot;">

This allows me to match on a literal asterisk.

Sukisen1981
Champion

certainly possible - refer here for setting and unsetting tokens in dashboard
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens

0 Karma

ehowardl3
Path Finder

Thanks, the issue is specifying a literal asterisk as a conditional value, there doesn't seem to be a way to "escape" the wildcard.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...