Splunk Search

How to specify a literal asterisk as a conditional value in dashboard

ehowardl3
Path Finder

I'm trying to create a dashboard that displays one dash panel if the user enters "*" into a text input, and display another dash panel if the user enters anything other than an asterisk. Is this possible?

Thanks

Tags (1)
1 Solution

niketn
Legend

@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.

If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.

<form>
  <label>Show Hide Panel based on Text Input</label>
  <fieldset submitButton="false">
    <input type="text" token="tokText" searchWhenChanged="true">
      <label></label>
      <default>*</default>
      <change>
        <condition match="value=&quot;*&quot;">
          <set token="showPanel1">true</set>
        </condition>
        <condition>
          <unset token="showPanel1"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$showPanel1$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel rejects="$showPanel1$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.

If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.

<form>
  <label>Show Hide Panel based on Text Input</label>
  <fieldset submitButton="false">
    <input type="text" token="tokText" searchWhenChanged="true">
      <label></label>
      <default>*</default>
      <change>
        <condition match="value=&quot;*&quot;">
          <set token="showPanel1">true</set>
        </condition>
        <condition>
          <unset token="showPanel1"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$showPanel1$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel rejects="$showPanel1$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ehowardl3
Path Finder

Thanks! The line I was looking for was:

<condition match="value=&quot;*&quot;">

This allows me to match on a literal asterisk.

Sukisen1981
Champion

certainly possible - refer here for setting and unsetting tokens in dashboard
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens

0 Karma

ehowardl3
Path Finder

Thanks, the issue is specifying a literal asterisk as a conditional value, there doesn't seem to be a way to "escape" the wildcard.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...