Hi, I'm trying to understand a bit better the behaviour of 'change' and 'condition' tags when specifically used within Text Input Forms. I'm seeing some strange (to me at least) behaviour and want to understand if others had seen the same. Or if it's possibly a bug of some sort. To demonstrate the problem, I've just put together a simple Form: <form hideEdit="false"> <label>Input Text Test</label> <fieldset autoRun="true" submitButton="false"> <input type="text" token="tok_text_1" searchWhenChanged="true"> <label>Enter any text</label> <change> <condition value="bug"> <set token="tok_text_1">CHANGED</set> </condition> <condition> <set token="tok_text_2">$tok_text_1$</set> </condition> </change> </input> </fieldset> <row> <panel> <title>Token 1: $tok_text_1$ | Token 2: $tok_text_2$</title> </panel> </row> </form> I've got a couple of expectations of what should happen here when I enter text into the Input: If I enter anything other than 'bug', both tokens should be set to the text I've entered: The $tok_text_1$ is set by the input The $tok_text_2$ is set by second change condition Therefore the panel title should show the value of both tokens, which should be the text entered in the input If I enter 'bug' , then $tok_text_1$ should be changed to 'CHANGED'. $tok_text_2$ should remain either unset or with it's previous value The $tok_text_1$ is altered by the first change condition The $tok_text_2$ is undefined (if 'bug' is first work entered). Or is remains set to it's previous value if there had been previous inputs Therefore the panel title should show 'CHANGED' for the first token and either an undefined placeholder for $tok_text_2$ or it's previous value Now if I run though some scenarios of what actually happens... Load the Form, which has the URL: http://127.0.0.1:8000/en-GB/app/search/input_change_test Type 'test' into the input box and press return: This results in a title of: Token 1: test | Token 2: $tok_text_1$ If I then type 'test2' into the input box and press return: This results in a title of: Token 1: test2 | Token 2: test So what's happening here? - In step 1, it would appear that the second change condition isn't being applied to set $tok_text_2$ - In step 2, it would appear that the second change block IS being applied, but based on the PREVIOUS value of $tok_text_1$ Now let's take a new scenario. Again, reload the dashboard with the URL from above (I.e. Remove and lingering $form.xxx$ tokens from the string). Type 'bug' into the input box and press return: This results in a title of: Token 1: bug | Token 2: $tok_text_1$ Type 'bug2' into the input box and press return: This results in a title of: Token 1: bug2 | Token 2: bug So what's happening here: - In step 1 , it would appear that the first change condition isn't being applied to alter $tok_text_1$ to 'CHANGED' - In step 2, it would appear that the second change block IS being applied, but based on the PREVIOUS value of $tok_text_1$ Both are very similar. But here's another little twist... If you load the URL as: http://127.0.0.1:8000/en-GB/app/search/input_change_test?form.tok_text_1=bug This results in a title of: Token 1: CHANGED | Token 2: $tok_text_2$ Now to my question. Can anyone help me understand what's happening here? - I'm interested in knowing if this is expected behaviour? - What's the 'flow' around how these change conditions get evaluated? The closest explanation I can come up with is from the Token Usage in Dashboard section of the manuals. This suggests that 'value' isn't a available token in 'text' inputs, therefore can't be used in change conditions. 'label' and 'value' are only available in: check-box drop-down lists multiselect radio button If that's the case, then how can you reference the text that's been entered into the text input? Thanks in advance, Graham. ... View more

Hi, Does anyone know how to enable the new 'Search Syntax Highlighting' and 'Compact' Assistant features when using the Free License? The Splunk Overview 6.5 App has a section which says that these can be enabled from your 'Account settings' page. Something which isn't accessible with the Free License! I've checked in: etc/apps/user-prefs/default/user-prefs.conf And these options are included: [general] search_syntax_highlighting = 1 search_assistant = compact But they don't appear to be working. I've checked in: /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf to see if the options are being disabled, but they're not. I've also tried adding the options into that file (/opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf) and restarting, but still no luck. I have also tried using both Safari (10.0) and Chrome (53.0.2785.116) to see if it was browser related, but both behave the same. This 6.5.0 install was an upgrade from 6.4.3 (already set-up using the Free License). These look like great features, so if anyone has thoughts on how to get them going, that would be great. ... View more