Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to specify a literal asterisk as a conditi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to create a dashboard that displays one dash panel if the user enters "*" into a text input, and display another dash panel if the user enters anything other than an asterisk. Is this possible?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.
If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.
<form>
<label>Show Hide Panel based on Text Input</label>
<fieldset submitButton="false">
<input type="text" token="tokText" searchWhenChanged="true">
<label></label>
<default>*</default>
<change>
<condition match="value="*"">
<set token="showPanel1">true</set>
</condition>
<condition>
<unset token="showPanel1"></unset>
</condition>
</change>
</input>
</fieldset>
<row>
<panel depends="$showPanel1$">
<table>
<title>Panel 1</title>
<search>
<query>| makeresults
| fields - _time
| eval SelectedValue="$tokText$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel rejects="$showPanel1$">
<table>
<title>Panel 2</title>
<search>
<query>| makeresults
| fields - _time
| eval SelectedValue="$tokText$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.
If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.
<form>
<label>Show Hide Panel based on Text Input</label>
<fieldset submitButton="false">
<input type="text" token="tokText" searchWhenChanged="true">
<label></label>
<default>*</default>
<change>
<condition match="value="*"">
<set token="showPanel1">true</set>
</condition>
<condition>
<unset token="showPanel1"></unset>
</condition>
</change>
</input>
</fieldset>
<row>
<panel depends="$showPanel1$">
<table>
<title>Panel 1</title>
<search>
<query>| makeresults
| fields - _time
| eval SelectedValue="$tokText$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel rejects="$showPanel1$">
<table>
<title>Panel 2</title>
<search>
<query>| makeresults
| fields - _time
| eval SelectedValue="$tokText$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! The line I was looking for was:
<condition match="value="*"">
This allows me to match on a literal asterisk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
certainly possible - refer here for setting and unsetting tokens in dashboard
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, the issue is specifying a literal asterisk as a conditional value, there doesn't seem to be a way to "escape" the wildcard.
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
