- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Dynamic input value for tables
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I currently have a table showing all used commands from a specific machine. Search is something like this:
source="/var/log/log" | stats count by comm | table comm, count | sort by count desc | head 10
This shows the top 10 used commands. Now I would like to search for specific commands using an Input field and submit button.
I would imagine the search would be something like this:
source="/var/log/audit/audit.log" comm="*$Token_Name$*" | stats count by comm | table comm, count | sort by count desc | head 10
But I don't understand how I can use the input field to alter the existing table.. How should the input field be configured and how do I make the existing table use the input? Or does the input field create a table with given value?
I hope my question is clear..
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try like
<form>
<label>textfield</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>field1</label>
<default>*</default>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" $field1$ | stats count by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try like
<form>
<label>textfield</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>field1</label>
<default>*</default>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" $field1$ | stats count by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, should I replace the text in <query> </query> with my second query in the opening post?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, $field1$ is similar to your comm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in my situation like this:
<input type="text" token="field1">
<label>field1</label>
<default></default>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Gebruikte commando's</title>
<chart>
<search>
<query>source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
Can you explain the prefix, suffix en initialValue? What are their functions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
Check this
<form>
<fieldset>
<input type="text" token="field1">
<label>field1</label>
<default></default>
<prefix>comm="</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Gebruikte commando's</title>
<chart>
<search>
<query>source="/var/log/log" $field1$ | stats count by comm | table comm, count | sort by count desc | head 10</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</chart>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but why use prefix/suffix? I could just put $field1$ in the search after comm=" right?
Like this:
source="/var/log/log" comm="$field1$" | stats count by comm | table comm, count | sort by count desc | head 10
And not use prefix/suffix in the input field, or is this not possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes you can do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks, it works now. But why would you use the suffix/preffix? Or is it a habit to use like that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
instead of giving in query like comm=$field1$ i'm building that in token itself
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
