I have a dashboard which contains 2 inputs. I have 2 separate queries which would run based on the results of the first input.
< fieldset submitButton="true" autoRun="false">
< input type="dropdown" token="i_criteria">
< label>Search Criteria< /label>
< choice value="message_id">Message ID< /choice>
< choice value="from">Sender< /choice>
< choice value="sender_domain">Sender Domain< /choice>
< choice value="x_mailer">X-mailer< /choice>
< /input >
< input type="text" token="s_value" searchWhenChanged="false">
< label>Search Value< /label>
< /input>
If the user selects Message ID, Sender, or Sender Domain, the first query should run. If the user selects X-mailer, the second query should run.
My first query begins with < query>index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter *$i_criteria$!=x_mailer** $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host].......................< /query>*
The second query begins with < query>index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details **x_mailer=$s_value|s$* | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host]..................< /query>*
Assistance with this will be greatly appreciated.
@adamblock2 - Just so you know, there is special markup language on this site so certain symbols will transform your post. If you wrap a word in <
or >
, without wrapping it in a code sample
, it will transform your post. If you wish to show the < >
(i.e. you are displaying sample code), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar.
Hi @adamblock2,
You can use change and condition elements to set up conditional handling of different input values. You can also use a token to represent the query that should run in either case. Depending on the user selection, set that query token to one or the other search strings in your condition elements.
and
http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Conditional_operations_with_form_inputs
You can also check out the dashboards examples app for more info:
https://splunkbase.splunk.com/app/1603/
Hope this helps!
I think that I might be missing something.
My dashboard contains
I updated my i_criteria dropdown to include the following:
< change>
< condition value="x_mailer">
< set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | search delivery_status=$d_status$ | table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
< /condition>
< condition value="message_id">
< set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
< /condition>
< condition value="from">
< set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
< /condition>
< condition value="sender_domain">
< set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
< /condition>
< /change>
I then replaced my query statement with < query>$s_query$< /query>
The query does not run. I receive a message "Search Factory: Unknown search command 's'." In addition, the submit button no longer functions.
Any ideas?
Thank you.
Hm. I'll see if I can replicate the issue in my instance. It might have to do with escaping characters or formatting the search string. I'll report back.
I tried setting up a similar example with test code.
What worked:
a dropdown whose selection is used (as a token) to conditionally set a query string in a panel.
What didn't work:
Combining tokenized selection or input values from a text box and a dropdown in the query. I don't think they are "aware" of input events on each other, so the query is not getting populated with tokenized values from both the dropdown and the text box.
I'll tinker a bit more with my own source code to see if there's something I can suggest.