Solved: How to reference an item name selected via populat...

jturnervbs · ‎11-03-2015

I am trying to put the name(s) of a selected item(s) into the 'first' and 'last' parameters of a streamstats evaluation, with no success. Hoping someone can help.

The form query below gathers a list of distinct Adobe products installed and creates a checkbox selection list. My goal is to produce a report showing recent changes of Adobe software versions on computers. As checkboxes go, I'd like to be able to select more than one software product.

I've searched high and low for that magic keyword but have yet to find it.

fyi...The software index data is comprised of domain computer information, including what software is installed.

<form>
  <label>Adobe Software Changes</label>
  <description>Software Changes</description>
  <fieldset autorun="false" submitButton="true">
    <input type="time" searchWhenChanged="true"></input>
    <input type="checkbox" token="AdobeType">
      <label></label>
      <populatingSearch fieldForValue="column" fieldForLabel="column">index="software" sourcetype="software" | stats dc(Adobe*) as Adobe* | transpose</populatingSearch>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix></valuePrefix>
      <valueSuffix>!="*no*"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>index=software sourcetype=software $AdobeType$|streamstats global=f current=t window=2
          last($click.value2$) as Lastc
          first($click.value2$) as Firstc by ComputerName
          |Fields - _raw index _time sourcetype|Fields keepcolorder=t ComputerName UserName Users timestamp</searchTemplate>
        <title>Adobe Products and Versions</title>
        <option name="showPager">true</option>
        <option name="rowNumbers">true</option>
      </table>
    </panel>
  </row>
</form>

jturnervbs · ‎11-03-2015

I banged out a solution, albeit I had to settle for radio buttons vs checkboxes:

<form>
  <label>Adobe Software Changes</label>
  <description>Software Changes</description>
  <fieldset autorun="true" submitButton="true">
    <input type="time"></input>
    <input type="radio" token="AdobeType" searchWhenChanged="true">
      <label></label>
      <populatingSearch fieldForValue="column" fieldForLabel="column">index="software" sourcetype="software" | stats dc(Adobe*) as Adobe* | transpose</populatingSearch>
      <default>AdobeReaderVersion</default>
      <change>
          <!-- use predefined input tokens to set -->
          <!-- tokens for the selected label and value -->
          <set token="swlabel">$label$</set>
          <set token="swvalue">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>index=software sourcetype=software $swlabel$|streamstats global=f current=t window=2
          last($swlabel$) as Previous
          first($swlabel$) as Current
          by ComputerName
          |where Current != Previous
          |Fields - $swlabel$ _raw index _time sourcetype
          |Fields keepcolorder=t ComputerName UserName Users Current Previous timestamp
          |Sort ComputerName,-timestamp</searchTemplate>
        <title>Adobe Products and Versions</title>
        <option name="showPager">true</option>
        <option name="rowNumbers">true</option>
      </table>
    </panel>
  </row>
</form>

PS Thanks to whomever reformatted my original substituted character code into xml

View solution in original post

jturnervbs · ‎11-03-2015

I banged out a solution, albeit I had to settle for radio buttons vs checkboxes:

<form>
  <label>Adobe Software Changes</label>
  <description>Software Changes</description>
  <fieldset autorun="true" submitButton="true">
    <input type="time"></input>
    <input type="radio" token="AdobeType" searchWhenChanged="true">
      <label></label>
      <populatingSearch fieldForValue="column" fieldForLabel="column">index="software" sourcetype="software" | stats dc(Adobe*) as Adobe* | transpose</populatingSearch>
      <default>AdobeReaderVersion</default>
      <change>
          <!-- use predefined input tokens to set -->
          <!-- tokens for the selected label and value -->
          <set token="swlabel">$label$</set>
          <set token="swvalue">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <searchTemplate>index=software sourcetype=software $swlabel$|streamstats global=f current=t window=2
          last($swlabel$) as Previous
          first($swlabel$) as Current
          by ComputerName
          |where Current != Previous
          |Fields - $swlabel$ _raw index _time sourcetype
          |Fields keepcolorder=t ComputerName UserName Users Current Previous timestamp
          |Sort ComputerName,-timestamp</searchTemplate>
        <title>Adobe Products and Versions</title>
        <option name="showPager">true</option>
        <option name="rowNumbers">true</option>
      </table>
    </panel>
  </row>
</form>

PS Thanks to whomever reformatted my original substituted character code into xml

woodcock · ‎11-03-2015

Try escaping the search parser by using another dollar sign, like this:

           last($$click.value2$$) as Lastc

How to reference an item name selected via populatingSearch

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases