Is it possible to build a form with checkboxes to build a query? Something like:
< input type="checkbox" token="someToken" fieldname="aField" multi-operator="OR"> < choice value="one">One< /choice> < choice value="two">Two< /choice>
And then a search like
($someToken$) AND ... will result in the following query if both are checked:
(aField="one" OR aField="two") AND ....
If its not possible to get a multi-option input at the input definition, then is there a way to create some sort of iterator in the searchTemplate of a form for multi-valued inputs?
As of Sideview Utils 2.4, which just released today, there is a new
Checkboxes module. It's behavior really mirrors that of the Sideview Pulldown module in multiple selection mode, except that instead of presenting the user with a multiple-select pulldown, it of course presents the user with a number of checkboxes. As with Pulldown, the dashboard developer can configure some of them statically, some dynamically, etc..
And as with the Pulldown module in multiple selection mode, the final output is a search expression like
( foo="value1" OR foo="value2" OR foo="value13" ). Or with different config it could be
| fields host sourcetype field17 field29 and so on and so forth.
There is a page of documentation about the module. After downloading the latest, installing it and restarting Splunk, navigate to "Module Documentation > Advanced modules > The Checkboxes module". Note that there is also a
Checkbox module but that is for simpler cases where you only want a single checkbox element.
Whilst I've generally avoided talking about sideview utils on Splunk-base... it has a fantastic checkbox module that has a value for offValue and onValue. Within that you can specify search terms. For one customer I have included it ticked by default and then specified an offValue so that if they untick it additional search terms including many NOT's are added to the search to help filter it off.
(Thanks Drainy) + Note that the much newer and improved version of Sideview Utils (2.1.2) is available since earlier this year from the Sideview site @ http://sideviewapps.com/apps/sideview-utils. Not to mention 2.2 which comes out next week. You can follow me on twitter to get updates about releases @sideview_apps