Splunk Search

How to specify a literal asterisk as a conditional value in dashboard

ehowardl3
Path Finder

I'm trying to create a dashboard that displays one dash panel if the user enters "*" into a text input, and display another dash panel if the user enters anything other than an asterisk. Is this possible?

Thanks

Tags (1)
1 Solution

niketn
Legend

@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.

If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.

<form>
  <label>Show Hide Panel based on Text Input</label>
  <fieldset submitButton="false">
    <input type="text" token="tokText" searchWhenChanged="true">
      <label></label>
      <default>*</default>
      <change>
        <condition match="value=&quot;*&quot;">
          <set token="showPanel1">true</set>
        </condition>
        <condition>
          <unset token="showPanel1"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$showPanel1$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel rejects="$showPanel1$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.

If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.

<form>
  <label>Show Hide Panel based on Text Input</label>
  <fieldset submitButton="false">
    <input type="text" token="tokText" searchWhenChanged="true">
      <label></label>
      <default>*</default>
      <change>
        <condition match="value=&quot;*&quot;">
          <set token="showPanel1">true</set>
        </condition>
        <condition>
          <unset token="showPanel1"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$showPanel1$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel rejects="$showPanel1$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ehowardl3
Path Finder

Thanks! The line I was looking for was:

<condition match="value=&quot;*&quot;">

This allows me to match on a literal asterisk.

Sukisen1981
Champion

certainly possible - refer here for setting and unsetting tokens in dashboard
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens

0 Karma

ehowardl3
Path Finder

Thanks, the issue is specifying a literal asterisk as a conditional value, there doesn't seem to be a way to "escape" the wildcard.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...