Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk dashboard : Text input token is caching...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dashboard with multiple inputs. These inputs are like filters on top of basic search. I want
1. if phone mdn and both devicemdn is provided then its a OR between them on top of the base search
base search | search phonemdn=<value> OR devicemdn=<value>
2. if only phone mdn is provided then should be
base search | search phonemdn=<value>
3. if only device mdn is provided then should be
base search | search devicemdn=<value>
Here is my dashboard xml:
<form>
<label>Dashboard</label>
<fieldset submitButton="true" autoRun="true">
<input type="text" token="phonemdn" searchWhenChanged="false">
<label>PHONE MDN</label>
<default></default>
<change>
<condition>
<eval token="phonemdn_exp">if(len(trim($value$)) == 0,"","| search phonemdn=".$value$)</eval>
</condition>
</change>
</input>
<input type="text" token="devicemdn">
<label>DEVICE MDN</label>
<default></default>
<change>
<condition>
<eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>
</condition>
</change>
</input>
<input type="dropdown" token="logtype" searchWhenChanged="true">
<label>LOG TYPE</label>
<choice value="*">ALL</choice>
<choice value="server">Watch</choice>
<choice value="application">Application</choice>
<change>
<condition value="server">
<set token="filter_search_base">| search index=new | spath app | search app=newapp </set>
<set token="logtype_lab">logtype=server</set>
<set token="logtype_exp">| search source=Band | eval source="Band"</set>
</condition>
<condition value="application">
<set token="filter_search_base">| search index=main | spath app | search app!=simulator</set>
<set token="logtype_lab">logtype=Application</set>
<set token="logtype_exp">| search source=Application</set>
</condition>
<condition value="*">
<set token="filter_search_base">|multisearch
[search index=new | spath app | search app=newapp]
[search index=main | spath app | search app!=simulator]</set>
<set token="logtype_lab">All Source</set>
<set token="logtype_exp"></set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<title>SEARCHING: $logtype_lab$ $phonemdn_exp$ $devicemdn_exp$</title>
<search>
<query>$filter_search_base$ $phonemdn_exp$ $devicemdn_exp$</query>
<earliest>$timefield.earliest$</earliest>
<latest>$timefield.latest$</latest>
</search>
</panel>
</row>
</form>
So my first query always works but later I feel like the input value for phonemdn and devicemdn is getting cached and future query didn't work as expected.
if I have input both phonemdn and devicemdn : query is base search | search phonemdn=<value> OR devicemdn=<value>
then if I delete value from phone mdn and only keep devicemdn then,
actual query : base search OR devicemdn=<value>
expected query : base search | search devicemdn=<value>
I feel like somehow the phonemdn value from the first query is getting cached somehow. Please help me to resolve this issue. let me know if you need more information. thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally I'm using search approach for this kind of situations. Can you please try this?
<form>
<label>Dashboard</label>
<search>
<done>
<set token="condition">$result.search$</set>
</done>
<query>| makeresults | eval phonemdn="$tkn_phonemdn$",devicemdn="$tkn_devicemdn$" | eval search=case(len(trim(phonemdn))==0 AND len(trim(devicemdn))==0,"", len(trim(phonemdn))==0 AND len(trim(devicemdn))!=0,"| search devicemdn=".devicemdn,len(trim(phonemdn))!=0 AND len(trim(devicemdn))==0,"| search phonemdn=".phonemdn, len(trim(phonemdn))!=0 AND len(trim(devicemdn))!=0,"| search phonemdn=".phonemdn." OR devicemdn=".devicemdn )</query>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="text" token="phonemdn" searchWhenChanged="false">
<label>PHONE MDN</label>
<default></default>
<change>
<set token="tkn_phonemdn">$value$</set>
</change>
</input>
<input type="text" token="devicemdn">
<label>DEVICE MDN</label>
<default></default>
<change>
<set token="tkn_devicemdn">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<title>SEARCHING: $condition$</title>
<table>
<search>
<query>filter_search_base $condition$</query>
</search>
</table>
</panel>
</row>
</form>
$condition$ will have your required condition and do necessary changes in condition for your required panel.
Thanks
KV
▄︻̷̿┻̿═━一 😎
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of this
<eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>try this
<eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($form.phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer ..Thanks for checking. I tried this but it didn't work for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally I'm using search approach for this kind of situations. Can you please try this?
<form>
<label>Dashboard</label>
<search>
<done>
<set token="condition">$result.search$</set>
</done>
<query>| makeresults | eval phonemdn="$tkn_phonemdn$",devicemdn="$tkn_devicemdn$" | eval search=case(len(trim(phonemdn))==0 AND len(trim(devicemdn))==0,"", len(trim(phonemdn))==0 AND len(trim(devicemdn))!=0,"| search devicemdn=".devicemdn,len(trim(phonemdn))!=0 AND len(trim(devicemdn))==0,"| search phonemdn=".phonemdn, len(trim(phonemdn))!=0 AND len(trim(devicemdn))!=0,"| search phonemdn=".phonemdn." OR devicemdn=".devicemdn )</query>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="text" token="phonemdn" searchWhenChanged="false">
<label>PHONE MDN</label>
<default></default>
<change>
<set token="tkn_phonemdn">$value$</set>
</change>
</input>
<input type="text" token="devicemdn">
<label>DEVICE MDN</label>
<default></default>
<change>
<set token="tkn_devicemdn">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<title>SEARCHING: $condition$</title>
<table>
<search>
<query>filter_search_base $condition$</query>
</search>
</table>
</panel>
</row>
</form>
$condition$ will have your required condition and do necessary changes in condition for your required panel.
Thanks
KV
▄︻̷̿┻̿═━一 😎
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kamlesh_vaghela Thanks for quick response. I tried this solution and after some minor change it worked for me.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
