Splunk Enterprise Security

Radiobutton issue: have to reselect it every time to be able to resubmit the search

woodentree
Communicator

Hello,

We'd like to provide a basic dashboard to our analysts to help them to search the information in an asset lookup based on its name, IP or Mac addresses. By default we'd like to use a wildcard with the text input (in case of multiple values in the field), but we'd like to leave an option to suppress the wildcard as well. For this purpose we use a radiobutton. Here is our dashboard:

<form>
<label>Asset Info</label>
<fieldset submitButton="true" autoRun="false">
  <input type="text" token="input">
    <label>Name, IP or Mac</label>
      <default></default>
    </input>
    <input type="radio" token="field1" searchWhenChanged="true">
      <label>Exact Value</label>
      <choice value="Yes">Yes</choice>
      <choice value="No">No</choice>
      <change>
        <condition value="No">
          <set token="myseaerch">| inputlookup assets_info.csv
    | search name=*$input$* OR ip=*$input$* OR mac=*$input$*
    | table name, ip, mac, zone, classification, status, os, serial_number</set>
        </condition>
        <condition value="Yes">
          <set token="myseaerch">| inputlookup assets_info.csv
    | search name=$input$ OR ip=$input$ OR mac=$input$
    | table name, ip, mac, zone, classification, status, os, serial_number</set>
        </condition>
      </change>
      <initialValue>No</initialValue>
      <default>No</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Asset Info</title>
        <search>
          <query>$myseaerch$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Unfortunately, for some reason we need to reselect a radiobutton every time we want to resubmit the search. I mean, we can't just leave it in "No" position and resubmit a search with a new text input, but have to switch to "Yes" and then back to "No" in order to make it work.

Do you have any idea what the issue is cased by and how it could be fixed?

Thanks for the help.

0 Karma
1 Solution

nickhills
Ultra Champion

Thats because you are using 'sets' based on 'conditions', when on load neither is set.

Another way to achieve the same results without conditions:

<form>
  <label>Asset Info</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="input">
      <label>Name, IP or Mac</label>
      <default></default>
    </input>
    <input type="radio" token="wildcard" searchWhenChanged="true">
      <label>Exact Value</label>
      <choice value="*">Yes</choice>
      <choice value="">No</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Asset Info</title>
        <search>
          <query>| inputlookup assets_info.csv
     | search name=$wildcard$$input$$wildcard$ OR mac=$wildcard$$input$$wildcard$
     | table name, ip, mac, zone, classification, status, os, serial_number</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

If you want to keep your condition approach, you can set the radio button to a value on load:

<init>
     <set token="field1">Yes</set>
 </init>
If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Thats because you are using 'sets' based on 'conditions', when on load neither is set.

Another way to achieve the same results without conditions:

<form>
  <label>Asset Info</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="input">
      <label>Name, IP or Mac</label>
      <default></default>
    </input>
    <input type="radio" token="wildcard" searchWhenChanged="true">
      <label>Exact Value</label>
      <choice value="*">Yes</choice>
      <choice value="">No</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Asset Info</title>
        <search>
          <query>| inputlookup assets_info.csv
     | search name=$wildcard$$input$$wildcard$ OR mac=$wildcard$$input$$wildcard$
     | table name, ip, mac, zone, classification, status, os, serial_number</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
If my comment helps, please give it a thumbs up!

woodentree
Communicator

Hi @nickhillscpl ,

Thanks for the help! It's definitely a better way to execute the search.

I have just another small issue: if I leave <default>*</default> line, it becomes impossible to select radiobutton values (between "Yes" and "No"). At the same time with <default></default> it works totally fine.

0 Karma

nickhills
Ultra Champion

Yes, thats a bit odd. I can't really explain that.
Leave it out - it wont make any difference if you use it as a dashboard.
If ever you use the dashboard as a drilldown target, you will just have to remember to define its value as a parameter

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...