Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk dashboard : Text input token is caching the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dashboard with multiple inputs. These inputs are like filters on top of basic search. I want
1. if phone mdn and both devicemdn is provided then its a OR between them on top of the base search
base search | search phonemdn=<value> OR devicemdn=<value>
2. if only phone mdn is provided then should be
base search | search phonemdn=<value>
3. if only device mdn is provided then should be
base search | search devicemdn=<value>
Here is my dashboard xml:
<form>
<label>Dashboard</label>
<fieldset submitButton="true" autoRun="true">
<input type="text" token="phonemdn" searchWhenChanged="false">
<label>PHONE MDN</label>
<default></default>
<change>
<condition>
<eval token="phonemdn_exp">if(len(trim($value$)) == 0,"","| search phonemdn=".$value$)</eval>
</condition>
</change>
</input>
<input type="text" token="devicemdn">
<label>DEVICE MDN</label>
<default></default>
<change>
<condition>
<eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>
</condition>
</change>
</input>
<input type="dropdown" token="logtype" searchWhenChanged="true">
<label>LOG TYPE</label>
<choice value="*">ALL</choice>
<choice value="server">Watch</choice>
<choice value="application">Application</choice>
<change>
<condition value="server">
<set token="filter_search_base">| search index=new | spath app | search app=newapp </set>
<set token="logtype_lab">logtype=server</set>
<set token="logtype_exp">| search source=Band | eval source="Band"</set>
</condition>
<condition value="application">
<set token="filter_search_base">| search index=main | spath app | search app!=simulator</set>
<set token="logtype_lab">logtype=Application</set>
<set token="logtype_exp">| search source=Application</set>
</condition>
<condition value="*">
<set token="filter_search_base">|multisearch
[search index=new | spath app | search app=newapp]
[search index=main | spath app | search app!=simulator]</set>
<set token="logtype_lab">All Source</set>
<set token="logtype_exp"></set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<title>SEARCHING: $logtype_lab$ $phonemdn_exp$ $devicemdn_exp$</title>
<search>
<query>$filter_search_base$ $phonemdn_exp$ $devicemdn_exp$</query>
<earliest>$timefield.earliest$</earliest>
<latest>$timefield.latest$</latest>
</search>
</panel>
</row>
</form>
So my first query always works but later I feel like the input value for phonemdn and devicemdn is getting cached and future query didn't work as expected.
if I have input both phonemdn and devicemdn : query is base search | search phonemdn=<value> OR devicemdn=<value>
then if I delete value from phone mdn and only keep devicemdn then,
actual query : base search OR devicemdn=<value>
expected query : base search | search devicemdn=<value>
I feel like somehow the phonemdn value from the first query is getting cached somehow. Please help me to resolve this issue. let me know if you need more information. thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally I'm using search approach for this kind of situations. Can you please try this?
<form>
<label>Dashboard</label>
<search>
<done>
<set token="condition">$result.search$</set>
</done>
<query>| makeresults | eval phonemdn="$tkn_phonemdn$",devicemdn="$tkn_devicemdn$" | eval search=case(len(trim(phonemdn))==0 AND len(trim(devicemdn))==0,"", len(trim(phonemdn))==0 AND len(trim(devicemdn))!=0,"| search devicemdn=".devicemdn,len(trim(phonemdn))!=0 AND len(trim(devicemdn))==0,"| search phonemdn=".phonemdn, len(trim(phonemdn))!=0 AND len(trim(devicemdn))!=0,"| search phonemdn=".phonemdn." OR devicemdn=".devicemdn )</query>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="text" token="phonemdn" searchWhenChanged="false">
<label>PHONE MDN</label>
<default></default>
<change>
<set token="tkn_phonemdn">$value$</set>
</change>
</input>
<input type="text" token="devicemdn">
<label>DEVICE MDN</label>
<default></default>
<change>
<set token="tkn_devicemdn">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<title>SEARCHING: $condition$</title>
<table>
<search>
<query>filter_search_base $condition$</query>
</search>
</table>
</panel>
</row>
</form>
$condition$ will have your required condition and do necessary changes in condition for your required panel.
Thanks
KV
▄︻̷̿┻̿═━一 😎
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of this
<eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>try this
<eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($form.phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer ..Thanks for checking. I tried this but it didn't work for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally I'm using search approach for this kind of situations. Can you please try this?
<form>
<label>Dashboard</label>
<search>
<done>
<set token="condition">$result.search$</set>
</done>
<query>| makeresults | eval phonemdn="$tkn_phonemdn$",devicemdn="$tkn_devicemdn$" | eval search=case(len(trim(phonemdn))==0 AND len(trim(devicemdn))==0,"", len(trim(phonemdn))==0 AND len(trim(devicemdn))!=0,"| search devicemdn=".devicemdn,len(trim(phonemdn))!=0 AND len(trim(devicemdn))==0,"| search phonemdn=".phonemdn, len(trim(phonemdn))!=0 AND len(trim(devicemdn))!=0,"| search phonemdn=".phonemdn." OR devicemdn=".devicemdn )</query>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="text" token="phonemdn" searchWhenChanged="false">
<label>PHONE MDN</label>
<default></default>
<change>
<set token="tkn_phonemdn">$value$</set>
</change>
</input>
<input type="text" token="devicemdn">
<label>DEVICE MDN</label>
<default></default>
<change>
<set token="tkn_devicemdn">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<title>SEARCHING: $condition$</title>
<table>
<search>
<query>filter_search_base $condition$</query>
</search>
</table>
</panel>
</row>
</form>
$condition$ will have your required condition and do necessary changes in condition for your required panel.
Thanks
KV
▄︻̷̿┻̿═━一 😎
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kamlesh_vaghela Thanks for quick response. I tried this solution and after some minor change it worked for me.
Index This | When is October more than just the tenth month?
Observe and Secure All Apps with Splunk
What’s New & Next in Splunk SOAR
