Dashboards & Visualizations

How do you add additional sub search by check box on dashboard?

appleman
Contributor

Hello,

I want to add sub search by just checking a check box on dashboard.
How do you do that?

Here is my main search below.
source=applications id=M1 (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 | stats count by name

And I want to add the sub search on main search like this.
source=applications id=M1 (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 [search earliest=-24h@h latest=now source=corporation (id=M1 OR id=M2* OR id=M3*) host!=test number!=1234 name!=test (contract_status=0 OR contract_status_a=0 OR contract_status_p=0) | dedup id | table id] | stats count by name

I added the source on simple XML, but it didn't work.

<form>
<label>App</label>
<description/>
<fieldset submitButton="false">
<input type="radio" token="dm" searchWhenChanged="true">
<label>host</label>
<choice value="id=M4*">include</choice>
<choice value="id!=M4*">exclude</choice>
<default>id=M4*</default>
</input>
<input type="checkbox" token="contract" searchWhenChanged="true">
<label>Contract Status</label>
<populatingSearch fieldForLabel="contracted" fieldForValue="id">[search earliest=-24h@h latest=now source=corporation (id=M1 OR id=M2* OR id=M3*) host!=test number!=1234 name!=test (contract_status=0 OR contract_status_a=0 OR contract_status_p=0) | dedup id | table id]</populatingSearch>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Install List</title>
<searchString>source=applications id=M1 $dm$ $contract$ (id=M1* OR id=M2* OR id=M3*) host!=test widget_flg=1 | stats count by name</searchString>
<earliestTime>-7d@h</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form

Thank you.

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

You could simply place your two searches in a string each and use javascript to set the search manager to the right one depending on whether the box is selected or deselected. Have a look here to see the options available to listen to check box changes and change search manager settings, and here for an example.

View solution in original post

rbreton
Path Finder

I wonder if something like this would be easier. It is all created using just the Dashboard creation UI.

<form>
  <label>sub search by check box on dashboard</label>
  <fieldset submitButton="false">
    <input type="radio" token="tok_subsearch" searchWhenChanged="true">
      <label>subsearch</label>
      <choice value="[ search index=wineventlog host=ndca* | table host ]">Enabled</choice>
      <choice value="">Disabled</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=wineventlog $tok_subsearch$

| table host</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>
0 Karma

jeffland
SplunkTrust
SplunkTrust

You could simply place your two searches in a string each and use javascript to set the search manager to the right one depending on whether the box is selected or deselected. Have a look here to see the options available to listen to check box changes and change search manager settings, and here for an example.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...