Solved: How do you add additional sub search by check box ...

appleman · ‎05-10-2015

Hello,

I want to add sub search by just checking a check box on dashboard.
How do you do that?

Here is my main search below.
source=applications id=M1 (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 | stats count by name

And I want to add the sub search on main search like this.
source=applications id=M1 (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 [search earliest=-24h@h latest=now source=corporation (id=M1 OR id=M2* OR id=M3*) host!=test number!=1234 name!=test (contract_status=0 OR contract_status_a=0 OR contract_status_p=0) | dedup id | table id] | stats count by name

I added the source on simple XML, but it didn't work.

<form>
<label>App</label>
<description/>
<fieldset submitButton="false">
<input type="radio" token="dm" searchWhenChanged="true">
<label>host</label>
<choice value="id=M4*">include</choice>
<choice value="id!=M4*">exclude</choice>
<default>id=M4*</default>
</input>
<input type="checkbox" token="contract" searchWhenChanged="true">
<label>Contract Status</label>
<populatingSearch fieldForLabel="contracted" fieldForValue="id">[search earliest=-24h@h latest=now source=corporation (id=M1 OR id=M2* OR id=M3*) host!=test number!=1234 name!=test (contract_status=0 OR contract_status_a=0 OR contract_status_p=0) | dedup id | table id]</populatingSearch>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Install List</title>
<searchString>source=applications id=M1 $dm$ $contract$ (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 | stats count by name</searchString>
<earliestTime>-7d@h</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form

Thank you.

jeffland · ‎05-11-2015

You could simply place your two searches in a string each and use javascript to set the search manager to the right one depending on whether the box is selected or deselected. Have a look here to see the options available to listen to check box changes and change search manager settings, and here for an example.

View solution in original post

rbreton · ‎07-27-2017

I wonder if something like this would be easier. It is all created using just the Dashboard creation UI.

<form>
  <label>sub search by check box on dashboard</label>
  <fieldset submitButton="false">
    <input type="radio" token="tok_subsearch" searchWhenChanged="true">
      <label>subsearch</label>
      <choice value="[ search index=wineventlog host=ndca* | table host ]">Enabled</choice>
      <choice value="">Disabled</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=wineventlog $tok_subsearch$

| table host</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

jeffland · ‎05-11-2015

You could simply place your two searches in a string each and use javascript to set the search manager to the right one depending on whether the box is selected or deselected. Have a look here to see the options available to listen to check box changes and change search manager settings, and here for an example.

How do you add additional sub search by check box on dashboard?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...