Can someone tell me why this doesn't work right? The time picker works when I change the time range but the host choice does not work, it always includes all hosts no matter what I choose in the form.
<?xml version='1.0' encoding='utf-8'?>
<form>
<label>Fail2ban Events</label>
<fieldset>
<input type="dropdown" token="host">
<label>Host</label>
<choice value="*">All Hosts</choice>
<choice value="echo">Echo</choice>
<choice value="zeus">Zeus</choice>
</input>
<!-- add default TimePicker -->
<input type="time" />
</fieldset>
<label>Fail2ban</label>
<row>
<chart>
<searchName>fail2ban_jail_time</searchName>
<title>Fail2ban Jails</title>
</chart>
</row>
<row>
<chart>
<searchName>Fail2Ban_IP</searchName>
<title>Fail2ban IPs</title>
</chart>
<table>
<searchString>sourcetype=fail2ban host="*" jail!="spamdyke" banaction="Ban" | top src_ip limit=10000</searchString>
<title>Fail2ban IPs</title>
</table>
</row>
</form>
Hi there,
nik_splunk is right here.
Look you defined a token to be filled with the picked value from the host list:
<input type="dropdown" token="host">
This token is a kind of a placeholder for the picked value which should be handed over to your search.
sourcetype=fail2ban host=$host$ jail!="spamdyke" banaction="Ban" ...
See also documentation:
http://www.splunk.com/base/Documentation/4.1.4/Developer/Step2CustomizeForm
Happy Splunking!
Cheers,
Christian
I got this to work by using
Hi deltatech,
do you want to add the selected host also to 'Fail2ban Jails' and 'Fail2ban IPs'? So you are using a saved search to fill this two panels, but of course the value for the picked host is not used in this search! Is it that what you mean here?
If yes, please let me know, because that one would be more sophisticated to do. Can you also post the saved searches here, so I can give you more help here?
I tried that too and it still doesn't work. Also, note that I never mentioned time anywhere yet time does work. I am trying to get host to work for all panels, not just the one.
host=$host$ still ends up with all hosts no matter what I select.
Hi deltatech,
I guess you have to specify the host field as a token. So I suggest you to change into your search string
from
sourcetype=fail2ban host="*" jail!="spamdyke" banaction="Ban" ....
to
sourcetype=fail2ban host=$host$ jail!="spamdyke" banaction="Ban" ...
Bye
nik_splunk