All Apps and Add-ons

Build a Search String with an Arbitrary Number of Conditions

kwailo
Explorer

I want to build a search string with an arbitrary number of OR conditions testing the value of a single variable.
The number of OR conditions will be determined by the number of checked checkboxes on a form.

For example:
Given 3 checked checkboxes: RED, WHITE, BLUE, the search string will be:

color=RED OR color=WHITE OR color=BLUE

If I uncheck RED, the search string will be:

color=WHITE or color=BLUE

Can this be achieved with a simple XML dashboard or do I need to go beyond that (e.g. use JavaScript)?

To clarify, the number of checkboxes is not known beforehand -- the checkboxes are created dynamically based on a search result.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Ah, I see. I know this can be done with AdvancedXML (e.g. Sideview Utils Checkboxes module), and you can do anything with the Splunk JS/Django stack.

I don't think you can use SimpleXML for this level of flexibility, but I might of course be wrong there. Here's how this would look like in AdvancedXML:

<view isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
  <label>Checkboxes</label>
  <module name="AccountBar" layoutPanel="appHeader" />
  <module name="AppBar" layoutPanel="appHeader" />
  <module name="SideviewUtils" layoutPanel="appHeader" />
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
  </module>

  <module name="HTML" layoutPanel="viewHeader">
    <param name="html"><![CDATA[
      <h1>Placeholder Page Title</h1>
    ]]></param>

    <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">
        | stats count | eval colors = "red,white,blue" | makemv colors delim="," | mvexpand colors | fields - count
      </param>

      <module name="Checkboxes">
        <param name="staticCheckboxes"/>
        <param name="name">color</param>
        <param name="template"> OR $name$="$value$" </param>
        <param name="valueField">colors</param>

        <module name="Search">
          <param name="search">
            | stats count | eval color="red,white,blue" | makemv color delim="," | mvexpand color | streamstats count | search srtophdopgdgohnk $color$
          </param>

          <module name="Table" />
        </module>
      </module>
    </module>
  </module>
</view>

View solution in original post

neiljpeterson
Communicator

Just want to mention, as an update, this is now trivial with Splunk 6.1 by using the multiselect input type.

  <input type="multiselect" token="my_animals">
       <label>Types of animals in my soup</label>
       <populatingSearch earliest="$earliest$" latest="$latest$" fieldForLabel="animal_name" fieldForValue="genus_species">
                 index=fauna | stats dc(genus_species) by animal_name | fields animal_name genus_species
       </populatingSearch>
       <default>monkeys,lions</default>
       <delimiter>OR</delimiter>
       <valuePrefix>(my_animal=</valuePrefix>
       <valueSuffix>)</valueSuffix>
  </input>

Now you can use the token $my_animals$ in a search and it will expanded into (my_animal=lions) OR (my_animal=monkeys) OR (my_animal=tigers) OR (my_animal=bears)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ah, I see. I know this can be done with AdvancedXML (e.g. Sideview Utils Checkboxes module), and you can do anything with the Splunk JS/Django stack.

I don't think you can use SimpleXML for this level of flexibility, but I might of course be wrong there. Here's how this would look like in AdvancedXML:

<view isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
  <label>Checkboxes</label>
  <module name="AccountBar" layoutPanel="appHeader" />
  <module name="AppBar" layoutPanel="appHeader" />
  <module name="SideviewUtils" layoutPanel="appHeader" />
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
  </module>

  <module name="HTML" layoutPanel="viewHeader">
    <param name="html"><![CDATA[
      <h1>Placeholder Page Title</h1>
    ]]></param>

    <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">
        | stats count | eval colors = "red,white,blue" | makemv colors delim="," | mvexpand colors | fields - count
      </param>

      <module name="Checkboxes">
        <param name="staticCheckboxes"/>
        <param name="name">color</param>
        <param name="template"> OR $name$="$value$" </param>
        <param name="valueField">colors</param>

        <module name="Search">
          <param name="search">
            | stats count | eval color="red,white,blue" | makemv color delim="," | mvexpand color | streamstats count | search srtophdopgdgohnk $color$
          </param>

          <module name="Table" />
        </module>
      </module>
    </module>
  </module>
</view>

kwailo
Explorer

It has nothing to do with my previous question. I am not asking how the condition should be phrased -- I am asking whether I can generate the condition dynamically with a simple XML dashboard, or whether I have to use JavaScript.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...