i have a search , which gets an input token as "*" for one of the columns.
i want the search to not run the query if token comes as "" . But, I want it to run if the token actually has some other value other than ""
can you help me figure out how to write this query, below is an example..
index= test_index testcolumn="*" |table _time,testcolumn,column2
- > This should not run as it runs against all values.
but
index= test_index testcolumn="manualvalue" |table _time,testcolumn,column2
- > This should run as it runs against only 1 value.
Any ideas how to get this working, as it's the same token
@jiaqya try the following run anywhere example. The token tokLogLevelFinalFilter
is used to filter search results. When All
is selected in dropdown ($label$
), then the token is unset. When any other value is selected in the dropdown, it is set to dropdown value ($value$
).
Please try out and confirm!
<form>
<label>Token Unset for All</label>
<fieldset submitButton="false">
<input type="dropdown" token="tokLogLevel" searchWhenChanged="true">
<label>Dropdown</label>
<choice value="*">All</choice>
<choice value="ERROR">Error</choice>
<choice value="WARN">Warn</choice>
<change>
<condition label="All">
<unset token="tokLogLevelFinalFilter"></unset>
</condition>
<condition>
<set token="tokLogLevelFinalFilter">$value$</set>
</condition>
</change>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<html>
<b>Log Level set to $tokLogLevelFinalFilter$</b>
</html>
<!-- Add depends="$tokLogLevelFinalFilter$" to table to hide table when Search is not running -->
<table>
<search>
<query>index=_internal sourcetype=splunkd log_level="$tokLogLevelFinalFilter$"
| chart count by log_level component where max in top5
</query>
</search>
</table>
</panel>
</row>
</form>
@jiaqya try the following run anywhere example. The token tokLogLevelFinalFilter
is used to filter search results. When All
is selected in dropdown ($label$
), then the token is unset. When any other value is selected in the dropdown, it is set to dropdown value ($value$
).
Please try out and confirm!
<form>
<label>Token Unset for All</label>
<fieldset submitButton="false">
<input type="dropdown" token="tokLogLevel" searchWhenChanged="true">
<label>Dropdown</label>
<choice value="*">All</choice>
<choice value="ERROR">Error</choice>
<choice value="WARN">Warn</choice>
<change>
<condition label="All">
<unset token="tokLogLevelFinalFilter"></unset>
</condition>
<condition>
<set token="tokLogLevelFinalFilter">$value$</set>
</condition>
</change>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<html>
<b>Log Level set to $tokLogLevelFinalFilter$</b>
</html>
<!-- Add depends="$tokLogLevelFinalFilter$" to table to hide table when Search is not running -->
<table>
<search>
<query>index=_internal sourcetype=splunkd log_level="$tokLogLevelFinalFilter$"
| chart count by log_level component where max in top5
</query>
</search>
</table>
</panel>
</row>
</form>
Niket, as i said it worked to some extent, later i used a match instead of using equals and it works perfectly fine now, thanks for your help..
The code that worked for me:
<condition match="value!="*"">
<set token="hostname">$value$</set>
</condition>
<condition match="value="*"">
<set token="hostanme">QueryCanceled</set>
</condition>
</change>
This works to some extent, i am able to get the values to change now for token.
but when i choose a manual value, it does not refresh immediately.
instead, i see the chosen value when i choose it again, ie , it lags one click behind.
is there a way to get this to refresh on making the manual choice..
why don't you change token value in input
I Cant change that token value in input.
reason is that i use that token = "*" for another panel to show full data in bar format.
but i also need that same token to show by individual record in another panel on the same dashboard.
so i am guessing i have to do it in the individual search query , but dont know how to..
you can try like this if token is *
then change to blank and if it is not *
then it will remain same-
|eval token = if(token="*","",token)
Tried this, but this does not work . the "*" asterix is the problem as it does not allow me to replace the token...since it represents "All" . any other ideas ?