I have a search which sometimes I want to do an append, and sometimes not - this should be driven by a checkbox in the GUI. The optional append looks like this:
| append [ search eventtype=x sourcetype=y host=z | eval series=if(like(source, "%vmstat_DB_%"), "CPU DB", source), | rename cpu_used as value | table _time series value ]
I have defined a checkbox like this:
< input type="checkbox" token="CPU_IN_TPS" searchWhenChanged="true">
< choice value="
| append [ search eventtype=x sourcetype=y host=z | eval series=if(like(source, "%vmstat_DB_%"), "CPU DB", source), | rename cpu_used as value | table _time series value ]">ON< /choice>
< /input>
And $CPU_IN_TPS$
goes at the end of my main search.
My problem is that double quotes are not accepted inside a token value. Is there a way of escaping them? Should I be using a macro instead?
Many thanks,
John Raftery
In XML you can use "
instead of ". It's working for me
<choice value="" | append [ search eventtype=x sourcetype=y host=z | eval series=if(like(source, "%vmstat_DB_%"), "CPU DB", source), | rename cpu_used as value | table _time series value ]"">ON</choice>
You can use a token modifier |s to escape double quotes.
$token$
$token|s$
The value of the tokens get parsed
asdf="asdf"
"asdf=\"asdf\""
Unfortunately, this also adds double quotes around it, which makes this modifier useless in all my work. I would have preferred only having 1 effect per modifier that can stack with others for those that want both, but this might work for others.
The modifiers for tokens inside of alert action email bodies may not be available, but it will work in dashboards.
Source: https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/tokens#Syntax_to_consume_tokens
For the panel requiring the double quotes to be escaped (\"), add:
|rex mode=sed field=FIELD_REQUIRING_ESCAPES "s/\"/"\\""/g"
It's using a Linux sed equivalent to replace every occurrence of " (\") with \" ("\\""). Different than Linux syntax, but it's working for me...
In XML you can use "
instead of ". It's working for me
<choice value="" | append [ search eventtype=x sourcetype=y host=z | eval series=if(like(source, "%vmstat_DB_%"), "CPU DB", source), | rename cpu_used as value | table _time series value ]"">ON</choice>
Never mind - I had the checkbox set up wrong. Thanks for your help!
This solved the quote issue - thanks very much. Strangely, the commas seem to disappear in the search - I end up with
eval series=if(like(source "%vmstat_DB_%") "CPU DB" source
Did you have this as well?
not really. Below dashboard works perfect
<form>
<label>TEST</label>
<fieldset submitButton="false">
<input type="checkbox" token="field1" searchWhenChanged="true">
<choice value="| append [ |stats count| eval series=if(like(count, "%vmstat_DB_%"), "CPU DB", count) | rename cpu_used as value | table _time series value ]">Test</choice>
</input>
</fieldset>
<row>
<panel>
<title>Test $field1$</title>
<table>
<search>
<query>|stats count|eval count=100 $field1$</query>
<earliest>0</earliest>
</search>
</table>
</panel>
</row>
</form>
I get an error when trying to use the fieldset node:
XML Syntax Error: Row, on line=320, contains unknown node=fieldset on line=321.
What does this node do?