Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the desired results using Splunk Text Input?

mbasharat
Builder
‎04-20-2019 02:33 PM

Hi,

I have a dashboard. It has 3 text inputs.

Search by IP
Text Input 1

Search by NETBIOS
Text Input 2

Search by DNS
Text Input 3

Submit button

I have a statistical table panel below them that is running the query:

Base search/Report reference

| search IP="$ip$" OR NETBIOS="$netbios$" OR DNS="$dns$"
| stats dc(IP) AS Total BY IP, NETBIOS, DNS

When I have IP inserted, Submit returns IP, NETBIOS and DNS.
When I have different NETBIOS inserted, search returns NETBIOS + IP (both different, one result for IP and one for NETBIOS. Likewise if I have all three different values, I will have three results)

What I need:
- Once any value is inserted, I want the other two to reset and become blank so search can use only one value at a time. I need to use either of the three values from text box inputs above and have only one result from one of either of three values.

For example, if I insert an IP 00.00.00.00 and hit Submit, I get results for IP since other two values are left blank. But when I insert NETBIOS e.g. SAMPLENETBIOS, I want IP text box to become reset/blank and search result should return results for NETBIOS not IP. Likewise for DNS.

Or can I have one text box where any one of three values can be inserted to get desired results? How?

Thanks in-advance

I am on v6.6.5 and +

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-21-2019 09:21 AM

You need to create a change section for each one and inside of this, do a pair of unset commands for each of the other 2 token names, like this (for the first token):

<unset token="second_token"></unset>
<unset token="form.second_token"></unset>
<unset token="third_token"></unset>
<unset token="form.third_token"></unset>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

raiqbal47010
New Member
‎01-08-2020 10:14 PM

HI @mbasharat,

Can you please share your code as I am having the same scenerio.

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎01-09-2020 05:59 AM

I ended up creating a text box as below with token and referenced the token value in the searches as sampled below.

     <input type="text" token="value" searchWhenChanged="false">
       <label>Search by IP or NETBIOS or DNS</label>
       <default>00.00.00.00</default>
     </input>

search/base search for panels as per your use case:

index=SAMPLE sourcetype=SAMPLE2
*| search ip_address="$value$" OR netbios="$value$" OR dns="$value$"
REST OF THE SEARCH

Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-21-2019 09:21 AM

You need to create a change section for each one and inside of this, do a pair of unset commands for each of the other 2 token names, like this (for the first token):

<unset token="second_token"></unset>
<unset token="form.second_token"></unset>
<unset token="third_token"></unset>
<unset token="form.third_token"></unset>
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎04-21-2019 11:04 AM

Is it also possible to have more than one ORs in panel drilldown as below:

Panel > Drill down > on Cell
Cell value 1=IP
Cell value 2=NETBIOS
Cell value 3=DNS

Drill down > Link to Dashboard
Has three token under Manage Tokens.
form.value ("value" is the token of text box in the destination page) = $row.IP$ OR $row.NETBIOS$ OR $row.DNS$
This OR is not working as well as it is passing all three values separated by commas instead of only the one that is clicked on.

Thanks.

0 Karma
Reply
Solved! Jump to solution

riddhichandaran
Explorer
‎04-21-2019 10:04 PM

Hey You cannot pass OR in drill down,
instead, you can use the conditional drill down 

  <option name="drilldown">cell</option>
        <drilldown>
          <condition field="IP">
          <link target="_blank">/app/search/handson_2?form.value=$row.IP$</link>
          </condition>
          <condition field="NETBIOS">
            <link target="_blank">/app/search/handson_2?form.value=$row.NETBIOS$</link>
          </condition>
               <condition field="DNS">
            <link target="_blank">/app/search/handson_2?form.value=$row.DNS$</link>
          </condition>
          <condition>
            <!-- No drilldown for other cell-->
          </condition>
        </drilldown>

Here you can change the value of fieldname as per your requirements.
In condition tag change field=fieldname
and in link tag just change $row.fieldname$

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...