Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Running Specific Query Based on Radio Button Selec...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running Specific Query Based on Radio Button Selection?
meechy85
New Member
12-11-2017
05:32 AM
Hello,
I'm attempting to use a Splunk view to edit a Lookup table based on an input field and a radio button selection.
The requirement is that a user enters an IP address, selects Add or Remove radio button, then presses Submit and it performs the requested action.
The thing is, we have the query to add an IP and to remove an IP, but when attempting to merge this with the input field and radio buttons in a view, it simply doesn't work.
This is what we have so far:
To Add:
| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv
To Remove
|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv
These work fine as individual queries, and the solution I was looking to implement was an Eval - but to be honest I had no idea how to do it correctly with radio buttons.
If the token for the radio button is $actionIP$ and the value for the button Add is "addIP" and the value for the button Remove is "remIP", I thought an eval query like this work:
| eval testIP = if($actionIP$=="addIP", [search | inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv], [search |inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv] )
But it doesn't. So I am wondering if this is even possible, and if so, how?
It's a bit confusing, but I hope I explained it well!
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbbadri
Motivator
12-11-2017
07:02 AM
@meechy85
<input type="radio" token="ip_tok">
<label>Select OS type</label>
<choice value="addIP">ADD</choice> ### Query for getting iP
<choice value="remIP">REMOVE</choice>
<change>
<change>
<condition value="ADD">
<set token="panelA"><set>
<unset token="panelB"></unset>
</condition>
<condition value="REMOVE">
<set token="panelB"><set>
<unset token="panelA"></unset>
</condition>
</change>
</input>
<row depends="$panelA$">
<panel>
<event>
<search>
<query>| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv </query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</event>
</panel>
</row>
<row depends="$panelB$">
<panel>
<event>
<search>
<query>|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv </query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</event>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
meechy85
New Member
12-11-2017
09:24 AM
Hello @sbbadri,
When I copied it over to the XML editor it gave me the following error:
Error parsing XML on line 38: Premature end of data in tag input line 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbbadri
Motivator
12-12-2017
06:43 AM
<form>
<label>testRadio</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
<input type="radio" token="field2">
<label>field2</label>
<choice value="addIP">ADD</choice>
<choice value="remIP">REMOVE</choice>
<change>
<condition value="addIP">
<set token="panelA"></set>
<unset token="panelB"></unset>
</condition>
<condition value="remIP">
<set token="panelB"></set>
<unset token="panelA"></unset>
</condition>
</change>
</input>
</fieldset>
<row depends="$panelA$">
<panel>
<event>
<search>
<query>| inputlookup test.csv | append [ | stats count | eval TEST="$vaIP$" (this is the token of the input Text box ] | stats count by TEST | fields - count | outputlookup test.csv </query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</event>
</panel>
</row>
<row depends="$panelB$">
<panel>
<event>
<search>
<query>|inputlookup test.csv | search TEST!="$vaIP$" | stats count by TEST | fields - count | outputlookup test.csv </query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</event>
</panel>
</row>
</form>
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
