Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart Search using TextBox

sathish2k8
Explorer
‎02-05-2018 05:59 PM

I want to include search box to search account and it should display the timechart also. Please help. Presently only timechart is displaying. 

index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  | timechart count by account | search account=0101010101
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
SplunkTrust
SplunkTrust
‎02-05-2018 10:23 PM

Hey @sathish2k8

Go to dashboards>>create new dashboard and put following XML

<form>
  <label>test</label>
  <fieldset submitButton="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>TimePicker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="account" searchWhenChanged="true">
      <label>Account</label>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

let me know if this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
SplunkTrust
SplunkTrust
‎02-05-2018 10:23 PM

Hey @sathish2k8

Go to dashboards>>create new dashboard and put following XML

<form>
  <label>test</label>
  <fieldset submitButton="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>TimePicker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="account" searchWhenChanged="true">
      <label>Account</label>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

let me know if this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sathish2k8
Explorer
‎02-06-2018 04:50 AM

not working, chart not loading.

0 Karma
Reply
Solved! Jump to solution

mayurr98
SplunkTrust
SplunkTrust
‎02-06-2018 04:57 AM

i have changed my xml pls check again.
as you are formatting account then the search should be after eval

index=os sourcetype="logger" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"  |  timechart count by account

Also after this whenever you enter the text in text box after hitting enter. open in search and see what is getting substituted in the place of account and troubleshoot in that way.

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-05-2018 06:05 PM

have you tried this:

index=os sourcetype="logger" account="0101010101" | eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  | timechart count by account
0 Karma
Reply
Solved! Jump to solution

sathish2k8
Explorer
‎02-05-2018 06:12 PM

how it gets input from text box do we need to use append keyword?

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-05-2018 06:29 PM

if you have input like this in xml:

<form>
   <label>sample</label>
   <fieldset submitButton="false">
     <input type="text" token="account">
       <label>Account</label>
       <initialValue></initialValue>
     </input>
   </fieldset>
 </form>

then you can use token value to search like $account$
then try this:

index=os sourcetype="logger"| eval account=ltrim(field10,"[") | eval account=rtrim(account,"]")  |search account="$account$"| timechart count by account
0 Karma
Reply
The Latest From the Splunk Community!