Splunk Search

Use checkboxes to build a search query using AND or OR

Builder

Is it possible to build a form with checkboxes to build a query? Something like:

< input type="checkbox" token="someToken" fieldname="aField" multi-operator="OR">
< choice value="one">One< /choice>
< choice value="two">Two< /choice>

And then a search like ($someToken$) AND ... will result in the following query if both are checked: (aField="one" OR aField="two") AND ....

If its not possible to get a multi-option input at the input definition, then is there a way to create some sort of iterator in the searchTemplate of a form for multi-valued inputs?

SplunkTrust
SplunkTrust

As of Sideview Utils 2.4, which just released today, there is a new Checkboxes module. It's behavior really mirrors that of the Sideview Pulldown module in multiple selection mode, except that instead of presenting the user with a multiple-select pulldown, it of course presents the user with a number of checkboxes. As with Pulldown, the dashboard developer can configure some of them statically, some dynamically, etc..

And as with the Pulldown module in multiple selection mode, the final output is a search expression like ( foo="value1" OR foo="value2" OR foo="value13" ). Or with different config it could be | fields host sourcetype field17 field29 and so on and so forth.

There is a page of documentation about the module. After downloading the latest, installing it and restarting Splunk, navigate to "Module Documentation > Advanced modules > The Checkboxes module". Note that there is also a Checkbox module but that is for simpler cases where you only want a single checkbox element.

http://sideviewapps.com/apps/sideview-utils

0 Karma

Builder

This is one approach: http://splunk-base.splunk.com/answers/57307/extendedfieldsearch-intentions-and-radio-buttons

This is not how I solved our problem, I will post below....

0 Karma

Contributor

So how did you do this? I see you found an answer but would you be so kind as to show the search you came up with and the logic behind the checkboxes?

0 Karma

Champion

Whilst I've generally avoided talking about sideview utils on Splunk-base... it has a fantastic checkbox module that has a value for offValue and onValue. Within that you can specify search terms. For one customer I have included it ticked by default and then specified an offValue so that if they untick it additional search terms including many NOT's are added to the search to help filter it off.

http://splunk-base.splunk.com/apps/36405/sideview-utils

SplunkTrust
SplunkTrust

(Thanks Drainy) + Note that the much newer and improved version of Sideview Utils (2.1.2) is available since earlier this year from the Sideview site @ http://sideviewapps.com/apps/sideview-utils. Not to mention 2.2 which comes out next week. You can follow me on twitter to get updates about releases @sideview_apps

Builder

awesome, thanks Drainy. Will check it out.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!