Dashboards & Visualizations

Dashboard Input Accepting Either Hex or Decimal Number

RMartinezDTV
Path Finder

Hi all, I'm going a little crazy with macros trying to get this to work, and I was hoping for some pointers. 🙂

I have a dashboard with a working form input for a customer ID, and I'd like to generalize the dashboard to take the customer ID in either hex or decimal. Right now, I can get one or the other working but not both.

My approach was to create 2 form inputs: one dropdown for HEX/DEC and one text field for the customer ID. The end format for the search is as follows where $convID$ represents either the HEX or DEC value:

sourcetype=x [search sourcetype=x custID=CASE($convID$) | fields transID] | transaction transID

The idea here is to get a list of transactions with the custID and then re-search using transaction command in order to get the Request and Response parts of the transaction. As you probably have guessed, the custID only shows up in the Request portion so a base search for custID=xxx would not work. Also, the custID is always in HEX in the raw log file.

Long story short, I can't seem to use the token value of 1 input field for the token value of a different input. I was thinking I'd set the HEX/DEC input to use $custID$ for the HEX value and my_to_hex($custID$) (as a macro with backticks) for the value of DEC. That way, the text input field exists only to power the HEX/DEC input and the token from that input actually goes into the search (as $convID$ in the final search above).

My "to hex" macro is: replace(tostring("".tostring($subid$, "hex").""),"x","") which I couldn't seem to simplify even though it looks ugly.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this (run anywhere sample)

<form>
  <label>Test</label>
  <description/>
  <fieldset submitButton="false">
    <input type="dropdown" token="inputtype" searchWhenChanged="true">
      <label>Input Type</label>
      <choice value="hex">HEX</choice>
      <choice value="decimal">DECIMAL</choice>
      <default>hex</default>
    </input>
    <input type="text" token="input">
      <label>Input</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Output</title>
        <searchString>| gentimes start=-1 | eval Input="$input$" | eval Output=if("$inputtype$"="hex","$input$", replace(tostring("".tostring($input$, "hex").""),"x","")) | table Input Output</searchString>
        <earliestTime>0</earliestTime>
        <latestTime/>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

RMartinezDTV
Path Finder

This example works standalone but I've had a heck of a time integrating it. The general problem is that I need the "Output" (converted) value to be present in the original search string (sourcetype=xx custID=Output), and placing the eval prior to the initial search command doesn't work. Trying to resolve it in-line (e.g. custID=if($inputtype$....) doesn't work either syntactically.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...