Solved: How to specify a literal asterisk as a conditional...

ehowardl3 · ‎03-08-2018

I'm trying to create a dashboard that displays one dash panel if the user enters "*" into a text input, and display another dash panel if the user enters anything other than an asterisk. Is this possible?

Thanks

niketn · ‎03-10-2018

@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.

If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.

<form>
  <label>Show Hide Panel based on Text Input</label>
  <fieldset submitButton="false">
    <input type="text" token="tokText" searchWhenChanged="true">
      <label></label>
      <default>*</default>
      <change>
        <condition match="value=&quot;*&quot;">
          <set token="showPanel1">true</set>
        </condition>
        <condition>
          <unset token="showPanel1"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$showPanel1$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel rejects="$showPanel1$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎03-10-2018

@ehowardl3, try the following run anywhere dashboard which displays first panel when Text Box value is asterisk i.e. (*) and second panel otherwise using depends and rejects attributes respectively.
While these two attributes show or hide a dashboard element like input, row, panel, visualization etc, underlying search for both panels will still run based on change in dropdown value.

If you need to run only one query at a time you would need to have two depends tokens set (one for each text box selection condition). Then use the token in Splunk search for specific panel so that the search does not run when the token is not set. You would need to provide your current search for both panels in case you want me to assist in this situation.

<form>
  <label>Show Hide Panel based on Text Input</label>
  <fieldset submitButton="false">
    <input type="text" token="tokText" searchWhenChanged="true">
      <label></label>
      <default>*</default>
      <change>
        <condition match="value=&quot;*&quot;">
          <set token="showPanel1">true</set>
        </condition>
        <condition>
          <unset token="showPanel1"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$showPanel1$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel rejects="$showPanel1$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults
          | fields - _time
          | eval SelectedValue="$tokText$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ehowardl3 · ‎04-04-2018

Thanks! The line I was looking for was:

<condition match="value=&quot;*&quot;">

This allows me to match on a literal asterisk.

Sukisen1981 · ‎03-10-2018

certainly possible - refer here for setting and unsetting tokens in dashboard
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens

ehowardl3 · ‎03-10-2018

Thanks, the issue is specifying a literal asterisk as a conditional value, there doesn't seem to be a way to "escape" the wildcard.

How to specify a literal asterisk as a conditional value in dashboard

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023