I'm quite new to Splunk and I'm working to adapt a dashboard.
Now it takes as input a time and ip (text box).
I need to modify it to take multiple inputs with
; as delimiter
and formatted like this
ip, timestart, timefinish
ip, timestart. timefinish
I tried with multiselect and wrapping the query in
() to expand, but it doesn't seem to be a good option.
Any help or suggestion or pre-built xml?
Instead of concatenating tokens and then again split it , try below. sourcetype should be replaced by your ip's and search should be adjusted to your requirement
<form> <label>NIGIFABIO</label> <fieldset submitButton="false"> <input type="multiselect" token="sourcetype" searchWhenChanged="true"> <label>Sourcetype</label> <search> <query>index=* |stats count by sourcetype</query> <earliest>-15m</earliest> <latest>now</latest> </search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>ip=</valuePrefix> </input> <input type="time" token="time"> <label></label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table> <title>Source Type is $sourcetype$</title> <search> <query>index=* |stats count by sourcetype</query> <earliestTime>$time.earliest$</earliestTime> <latestTime>$time.latest$</latestTime> </search> <option name="wrap">undefined</option> <option name="rowNumbers">undefined</option> <option name="drilldown">row</option> </table> </panel> </row> </form>
i tried your input method but when i try to put an ip or list of ip inside the box it result as :
"no matches found" in a popup in the box maybe the variable ip is saved as text?
Its a multiselect box. So you can select only those values which are populated in the box. So either populate the box with your ips by a dynamic search by replacing index=* |stats count by sourcetype or add static values
Can you share more details? SimpleXML or AdvanacedXML? What does your search look like, how are these parameters being passed. Does the search return data if you were to add the params manually in the format as from the multi select box? Easiest would be to copy relevant parts of your dashboard code. Then someone will be able to assist
sure here an example of what i have (source) the idea is to adapt as describer for the input above (thanks! )
IP Activity Clone
Displays activity on an IP address
<input type="text" token="field1"> <label>IP Address</label> <default>*</default> </input> <input type="time" token="field2"> <label></label> <default> <earliestTime>0</earliestTime> <latestTime></latestTime> </default> </input> <panel> <chart> <title>IP Activity Summary By Source</title> <searchString>index=* $field1$ NOT sourcetype=stash | stats count as total by sourcetype</searchString> <earliestTime>$field2.earliest$</earliestTime> <latestTime>$field2.latest$</latestTime>
Still didn't get your requirement. You want a token value as ip;starttime;endtime or you want to combine two different tokens say field1;field2 or you want to display the fields concatenated with ; and display as a table column?
sorry Renjith, my fault on explanation:
i want to pass a single tocken with multiple information on it, and i need to split it to use it in the query as multiple token
so if i imagine to pass something like
i need to split it to use it in a query in this way :
$ip$ $time1$ $time2$
and iterate on it as much line i have