Dashboards & Visualizations

controlling search conditions by form element

kalitbri
Explorer

Hello, I would like to build a form which includes a set of radio options to choose the search conditions (which encapsulate the input field)

For example:

Input text field : name 'search_value'

Radio Group: name 'condition'

radio 1: condition set to 'field_a="*$search_value$*"'

radio 2: condition set to 'field_b="*$search_value$*"'

radio 3: condition set to 'field_c="*$search_value$*" (and more conditions...)'

Search Template: 'index=mytable1 $condition$'

I plan to store the condition content for each radio button in the form of splunk data, to be used by form radio element. I think the ExtendedFieldSearch might be able to do this, but I am not sure if it can achieve two-pass replacing.

Could Anyone who knows how to do this provide an XML form sample to achieve? Thanks!

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Since form tokens are simply string replacements, you can just do:

<input type="text" token="search_value" />

<input type="radio" token="condition">
    <choice value="field_a">Option 1</choice>
    <choice value="field_b">Option 2</choice>
    <choice value="field_c">Option 3</choice>
</input>

<searchTemplate>index="mytable1" $condition$="$search_value$"</searchTemplate>

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Since form tokens are simply string replacements, you can just do:

<input type="text" token="search_value" />

<input type="radio" token="condition">
    <choice value="field_a">Option 1</choice>
    <choice value="field_b">Option 2</choice>
    <choice value="field_c">Option 3</choice>
</input>

<searchTemplate>index="mytable1" $condition$="$search_value$"</searchTemplate>

gkanapathy
Splunk Employee
Splunk Employee

Well, if it's much more complicated than that, you can use a macro to pass in a value and transform it almost arbitrarily. It can get a little confusing with multiple levels of string substitution, but it is possible. See docs for macros and macros.conf.spec file.

0 Karma

kalitbri
Explorer

Thanks! Can I do more complicated replacement like for the radio 3 in my example?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...