I want to build a search string with an arbitrary number of OR conditions testing the value of a single variable.
The number of OR conditions will be determined by the number of checked checkboxes on a form.
For example:
Given 3 checked checkboxes: RED, WHITE, BLUE, the search string will be:
color=RED OR color=WHITE OR color=BLUE
If I uncheck RED, the search string will be:
color=WHITE or color=BLUE
Can this be achieved with a simple XML dashboard or do I need to go beyond that (e.g. use JavaScript)?
To clarify, the number of checkboxes is not known beforehand -- the checkboxes are created dynamically based on a search result.
Ah, I see. I know this can be done with AdvancedXML (e.g. Sideview Utils Checkboxes module), and you can do anything with the Splunk JS/Django stack.
I don't think you can use SimpleXML for this level of flexibility, but I might of course be wrong there. Here's how this would look like in AdvancedXML:
<view isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
<label>Checkboxes</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="appHeader" />
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="maxSize">2</param>
<param name="clearOnJobDispatch">False</param>
</module>
<module name="HTML" layoutPanel="viewHeader">
<param name="html"><![CDATA[
<h1>Placeholder Page Title</h1>
]]></param>
<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">
| stats count | eval colors = "red,white,blue" | makemv colors delim="," | mvexpand colors | fields - count
</param>
<module name="Checkboxes">
<param name="staticCheckboxes"/>
<param name="name">color</param>
<param name="template"> OR $name$="$value$" </param>
<param name="valueField">colors</param>
<module name="Search">
<param name="search">
| stats count | eval color="red,white,blue" | makemv color delim="," | mvexpand color | streamstats count | search srtophdopgdgohnk $color$
</param>
<module name="Table" />
</module>
</module>
</module>
</module>
</view>
Just want to mention, as an update, this is now trivial with Splunk 6.1 by using the multiselect
input type.
<input type="multiselect" token="my_animals">
<label>Types of animals in my soup</label>
<populatingSearch earliest="$earliest$" latest="$latest$" fieldForLabel="animal_name" fieldForValue="genus_species">
index=fauna | stats dc(genus_species) by animal_name | fields animal_name genus_species
</populatingSearch>
<default>monkeys,lions</default>
<delimiter>OR</delimiter>
<valuePrefix>(my_animal=</valuePrefix>
<valueSuffix>)</valueSuffix>
</input>
Now you can use the token $my_animals$
in a search and it will expanded into (my_animal=lions) OR (my_animal=monkeys) OR (my_animal=tigers) OR (my_animal=bears)
Ah, I see. I know this can be done with AdvancedXML (e.g. Sideview Utils Checkboxes module), and you can do anything with the Splunk JS/Django stack.
I don't think you can use SimpleXML for this level of flexibility, but I might of course be wrong there. Here's how this would look like in AdvancedXML:
<view isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
<label>Checkboxes</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="appHeader" />
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="maxSize">2</param>
<param name="clearOnJobDispatch">False</param>
</module>
<module name="HTML" layoutPanel="viewHeader">
<param name="html"><![CDATA[
<h1>Placeholder Page Title</h1>
]]></param>
<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">
| stats count | eval colors = "red,white,blue" | makemv colors delim="," | mvexpand colors | fields - count
</param>
<module name="Checkboxes">
<param name="staticCheckboxes"/>
<param name="name">color</param>
<param name="template"> OR $name$="$value$" </param>
<param name="valueField">colors</param>
<module name="Search">
<param name="search">
| stats count | eval color="red,white,blue" | makemv color delim="," | mvexpand color | streamstats count | search srtophdopgdgohnk $color$
</param>
<module name="Table" />
</module>
</module>
</module>
</module>
</view>
It has nothing to do with my previous question. I am not asking how the condition should be phrased -- I am asking whether I can generate the condition dynamically with a simple XML dashboard, or whether I have to use JavaScript.
How is this different from your previous question?
http://answers.splunk.com/answers/116164/dynamically-appending-or-clauses-based-on-form-input