Solved: How to pass a search based on the token value from...

splunkrocks2014 · ‎10-17-2017

I have a text field with default/initial value set to "". I wanted to use different search queries based on the values from the textfield which is mainly "" or not "*". Any suggestion? Thanks.

<form>
  <fieldset submitButton="false">
    <input type="text" token="tok_text" searchWhenChanged="true">
      <label>text</label>
      <default>*</default>
      <initialValue>*</initialValue>
      <change>
         <condition value="*">
           <set token="searchOne"></set>
           <unset token="searchTwo"></unset>
         </condition>
         <condition value!="*">  <!-- it doesn't support not equal to -->
           <unset token="searchOne"></unset>
           <set token="searchTwo"></set>
         </condition>
       </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <single depends="$searchOne$">
        <title>Search No Star</title>
        <search>
          <query>| makeresults | eval nonstar="$tok_text$" | stats values(nostar)</query>
          <earliest>-15m@m</earliest>
          <latest>now</latest>
        </search>
      </single>
      <single depends="$searchTwo$">
        <title>Search Star</title>
        <search>
          <query>| makeresults | eval star="$tok_text$" | stats values(star)</query>
          <earliest>-1d@d</earliest>
          <latest>now</latest>
        </search>
      </single>
    </panel>
  </row>
</form>

kamlesh_vaghela · ‎10-17-2017

Hi @splunkrocks2014,

value is an attribute of condition tag. SO you can not use != for an attribute, but you can use match attribute for your requirement.

Can you please try Condition from below XML ???

<form>
   <fieldset submitButton="false">
     <input type="text" token="tok_text" searchWhenChanged="true">
       <label>text</label>
       <default>*</default>
       <initialValue>*</initialValue>
       <change>
          <condition match="'value'!=&quot;*&quot;">
            <unset token="searchOne"></unset>
            <set token="searchTwo">searchTwo</set>
          </condition>
          <condition>
            <set token="searchOne">searchOne</set>
            <unset token="searchTwo"></unset>
          </condition>
        </change>
     </input>
   </fieldset>
   <row>
     <panel>

       <single depends="$searchOne$">
         <title>Search No Star</title>
         <search>
           <query>| makeresults | eval nonstar="$tok_text$" | stats values(nostar)</query>
           <earliest>-15m@m</earliest>
           <latest>now</latest>
         </search>
       </single>
       <single depends="$searchTwo$">
         <title>Search Star</title>
         <search>
           <query>| makeresults | eval star="$tok_text$" | stats values(star)</query>
           <earliest>-1d@d</earliest>
           <latest>now</latest>
         </search>
       </single>
     </panel>
   </row>
 </form>

Thanks

View solution in original post

kamlesh_vaghela · ‎10-17-2017

Hi @splunkrocks2014,

value is an attribute of condition tag. SO you can not use != for an attribute, but you can use match attribute for your requirement.

Can you please try Condition from below XML ???

<form>
   <fieldset submitButton="false">
     <input type="text" token="tok_text" searchWhenChanged="true">
       <label>text</label>
       <default>*</default>
       <initialValue>*</initialValue>
       <change>
          <condition match="'value'!=&quot;*&quot;">
            <unset token="searchOne"></unset>
            <set token="searchTwo">searchTwo</set>
          </condition>
          <condition>
            <set token="searchOne">searchOne</set>
            <unset token="searchTwo"></unset>
          </condition>
        </change>
     </input>
   </fieldset>
   <row>
     <panel>

       <single depends="$searchOne$">
         <title>Search No Star</title>
         <search>
           <query>| makeresults | eval nonstar="$tok_text$" | stats values(nostar)</query>
           <earliest>-15m@m</earliest>
           <latest>now</latest>
         </search>
       </single>
       <single depends="$searchTwo$">
         <title>Search Star</title>
         <search>
           <query>| makeresults | eval star="$tok_text$" | stats values(star)</query>
           <earliest>-1d@d</earliest>
           <latest>now</latest>
         </search>
       </single>
     </panel>
   </row>
 </form>

Thanks

splunkrocks2014 · ‎10-18-2017

Thanks, this is what i am looking for.

DalJeanis · ‎10-17-2017

You can use <condition> with no test, as per the example under "Search tokens for dynamic display example" on this page:

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/tokens

splunkrocks2014 · ‎10-17-2017

It doesn't seem working. Thanks anyway

How to pass a search based on the token value from a text field?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk