Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Running Specific Query Based on Radio Button Selection?

meechy85
New Member
‎12-11-2017 05:32 AM

Hello,

I'm attempting to use a Splunk view to edit a Lookup table based on an input field and a radio button selection.

The requirement is that a user enters an IP address, selects Add or Remove radio button, then presses Submit and it performs the requested action.

The thing is, we have the query to add an IP and to remove an IP, but when attempting to merge this with the input field and radio buttons in a view, it simply doesn't work.

This is what we have so far:

To Add:

| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv

To Remove

|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv

These work fine as individual queries, and the solution I was looking to implement was an Eval - but to be honest I had no idea how to do it correctly with radio buttons.

If the token for the radio button is $actionIP$ and the value for the button Add is "addIP" and the value for the button Remove is "remIP", I thought an eval query like this work:

| eval testIP = if($actionIP$=="addIP", [search | inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv], [search  |inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv] )

But it doesn't. So I am wondering if this is even possible, and if so, how?

It's a bit confusing, but I hope I explained it well!

Thanks

0 Karma
Reply

sbbadri
Motivator
‎12-11-2017 07:02 AM

@meechy85

    <input type="radio" token="ip_tok">
      <label>Select OS type</label>
      <choice value="addIP">ADD</choice> ### Query for getting iP
      <choice value="remIP">REMOVE</choice>
      <change>
        <change>
        <condition value="ADD">
          <set token="panelA"><set>
          <unset token="panelB"></unset>
        </condition>
        <condition value="REMOVE">
          <set token="panelB"><set>
          <unset token="panelA"></unset>        
        </condition>
      </change>
    </input>
    <row depends="$panelA$">
    <panel>
      <event>
        <search>
          <query>| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv </query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
      </event>
    </panel>
  </row>
  <row depends="$panelB$">
    <panel>
      <event>
        <search>
          <query>|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv </query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
      </event>
    </panel>
  </row>
0 Karma
Reply

meechy85
New Member
‎12-11-2017 09:24 AM

Hello @sbbadri,

When I copied it over to the XML editor it gave me the following error:

Error parsing XML on line 38: Premature end of data in tag input line 1

0 Karma
Reply

sbbadri
Motivator
‎12-12-2017 06:43 AM 
<form>
  <label>testRadio</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
    <input type="radio" token="field2">
      <label>field2</label>
      <choice value="addIP">ADD</choice>
      <choice value="remIP">REMOVE</choice>
      <change>
        <condition value="addIP">
          <set token="panelA"></set>
          <unset token="panelB"></unset>
        </condition>
        <condition value="remIP">
          <set token="panelB"></set>
          <unset token="panelA"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
       <row depends="$panelA$">
     <panel>
       <event>
         <search>
           <query>| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv </query>
           <earliest>$time_tok.earliest$</earliest>
           <latest>$time_tok.latest$</latest>
         </search>
       </event>
     </panel>
   </row>
   <row depends="$panelB$">
     <panel>
       <event>
         <search>
           <query>|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv </query>
           <earliest>$time_tok.earliest$</earliest>
           <latest>$time_tok.latest$</latest>
         </search>
       </event>
     </panel>
   </row>
</form>
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...