Splunk Search

Timechart Search using TextBox

sathish2k8
Explorer

I want to include search box to search account and it should display the timechart also. Please help. Presently only timechart is displaying.

index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  | timechart count by account | search account=0101010101
Tags (1)
0 Karma
1 Solution

mayurr98
Super Champion

Hey @sathish2k8

Go to dashboards>>create new dashboard and put following XML

<form>
  <label>test</label>
  <fieldset submitButton="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>TimePicker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="account" searchWhenChanged="true">
      <label>Account</label>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

let me know if this helps!

View solution in original post

0 Karma

mayurr98
Super Champion

Hey @sathish2k8

Go to dashboards>>create new dashboard and put following XML

<form>
  <label>test</label>
  <fieldset submitButton="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>TimePicker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="account" searchWhenChanged="true">
      <label>Account</label>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

let me know if this helps!

0 Karma

sathish2k8
Explorer

not working, chart not loading.

0 Karma

mayurr98
Super Champion

i have changed my xml pls check again.
as you are formatting account then the search should be after eval

index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account

Also after this whenever you enter the text in text box after hitting enter. open in search and see what is getting substituted in the place of account and troubleshoot in that way.

let me know if this helps!

0 Karma

493669
Super Champion

have you tried this:

index=os sourcetype="logger" account="0101010101" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  | timechart count by account 
0 Karma

sathish2k8
Explorer

how it gets input from text box do we need to use append keyword?

0 Karma

493669
Super Champion

if you have input like this in xml:

<form>
   <label>sample</label>
   <fieldset submitButton="false">
     <input type="text" token="account">
       <label>Account</label>
       <initialValue></initialValue>
     </input>
   </fieldset>
 </form>

then you can use token value to search like $account$
then try this:

index=os sourcetype="logger"| eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"| timechart count by account
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...