Splunk Search
Highlighted

Running Specific Query Based on Radio Button Selection?

New Member

Hello,

I'm attempting to use a Splunk view to edit a Lookup table based on an input field and a radio button selection.

The requirement is that a user enters an IP address, selects Add or Remove radio button, then presses Submit and it performs the requested action.

The thing is, we have the query to add an IP and to remove an IP, but when attempting to merge this with the input field and radio buttons in a view, it simply doesn't work.

This is what we have so far:

To Add:

| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv

To Remove

|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv

These work fine as individual queries, and the solution I was looking to implement was an Eval - but to be honest I had no idea how to do it correctly with radio buttons.

If the token for the radio button is $actionIP$ and the value for the button Add is "addIP" and the value for the button Remove is "remIP", I thought an eval query like this work:

| eval testIP = if($actionIP$=="addIP", [search | inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv], [search  |inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv] )

But it doesn't. So I am wondering if this is even possible, and if so, how?

It's a bit confusing, but I hope I explained it well!

Thanks

0 Karma
Highlighted

Re: Running Specific Query Based on Radio Button Selection?

Motivator

@meechy85

    <input type="radio" token="ip_tok">
      <label>Select OS type</label>
      <choice value="addIP">ADD</choice> ### Query for getting iP
      <choice value="remIP">REMOVE</choice>
      <change>
        <change>
        <condition value="ADD">
          <set token="panelA"><set>
          <unset token="panelB"></unset>
        </condition>
        <condition value="REMOVE">
          <set token="panelB"><set>
          <unset token="panelA"></unset>        
        </condition>
      </change>
    </input>
    <row depends="$panelA$">
    <panel>
      <event>
        <search>
          <query>| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv </query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
      </event>
    </panel>
  </row>
  <row depends="$panelB$">
    <panel>
      <event>
        <search>
          <query>|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv </query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
      </event>
    </panel>
  </row>
0 Karma
Highlighted

Re: Running Specific Query Based on Radio Button Selection?

New Member

Hello @sbbadri,

When I copied it over to the XML editor it gave me the following error:

Error parsing XML on line 38: Premature end of data in tag input line 1

0 Karma
Highlighted

Re: Running Specific Query Based on Radio Button Selection?

Motivator
<form>
  <label>testRadio</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
    <input type="radio" token="field2">
      <label>field2</label>
      <choice value="addIP">ADD</choice>
      <choice value="remIP">REMOVE</choice>
      <change>
        <condition value="addIP">
          <set token="panelA"></set>
          <unset token="panelB"></unset>
        </condition>
        <condition value="remIP">
          <set token="panelB"></set>
          <unset token="panelA"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
       <row depends="$panelA$">
     <panel>
       <event>
         <search>
           <query>| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv </query>
           <earliest>$time_tok.earliest$</earliest>
           <latest>$time_tok.latest$</latest>
         </search>
       </event>
     </panel>
   </row>
   <row depends="$panelB$">
     <panel>
       <event>
         <search>
           <query>|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv </query>
           <earliest>$time_tok.earliest$</earliest>
           <latest>$time_tok.latest$</latest>
         </search>
       </event>
     </panel>
   </row>
</form>
0 Karma