Solved: Why is the Checkbox Input Filter Source in my dash...

maria2691 · ‎02-05-2018

Hello Everyone

I have a Dashboard with a Chechbox Input Filter Source. I initially created it as a Dropdown now I am in need to convert it to a Checkbox option. The search works only if I select a single value and does not return any result when making multiple selection.

My search queries in panels look like below. "source" is the label name:

sourcetype=error | where source like "$source$%" 
|stats count(Error Description)

I need to change the search / the input to make sure that the results are obtained for multiple selections. How do I do it?
Below is the XML block for this particular Checkbox.

<input type="checkbox" token="source" searchWhenChanged="true" multi-operator="OR">
      <label>Source</label>
      <default></default>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>sourcetype=error 
| where source like "GS01%" OR source like "CIS%" OR source like "CS%" OR source like "BoldChat%" OR source like "EC%" OR source like "ED%" OR source like "EIT%"OR source like "GPT%" OR source like "GS%" 
| eval source=substr('source',1,5) | stats count by source</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="">ALL</choice>
      <initialValue></initialValue>
      <delimiter> OR</delimiter>
    </input>

What do I have to modify to achieve the expected result?

Thanks
Maria Arokiaraj

micahkemp · ‎02-06-2018

My run-anywhere example of this functionality:

<form>
  <label>615201</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="source" searchWhenChanged="true">
      <label>Source</label>
      <default></default>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index=_* | eval source=substr('source',1,5) | stats count by source</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="">ALL</choice>
      <initialValue></initialValue>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>source like "</valuePrefix>
      <valueSuffix>%"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | where $source$ | stats count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

micahkemp · ‎02-06-2018

My run-anywhere example of this functionality:

<form>
  <label>615201</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="source" searchWhenChanged="true">
      <label>Source</label>
      <default></default>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index=_* | eval source=substr('source',1,5) | stats count by source</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="">ALL</choice>
      <initialValue></initialValue>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>source like "</valuePrefix>
      <valueSuffix>%"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | where $source$ | stats count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

maria2691 · ‎02-07-2018

Thanks a ton @micahkemp. Got the results 🙂 Finally understood the logic behind it.

maria2691 · ‎02-06-2018

I have tried it without success @micahkemp.

I have to use the below search query search query since we should be showing only the first five characters and need to avoid few sources.

sourcetype=error
| where source like "GS01%" OR source like "CIS%" OR source like "CS%" OR source like "BoldChat%" OR source like "EC%" OR source like "ED%" OR source like "EIT%"OR source like "GPT%" OR source like "GS%"
| eval source=substr('source',1,5) | stats count by source

Hence, I have modified the source like below.

    <input type="checkbox" token="source" searchWhenChanged="true">
              <label>Source</label>
              <fieldForLabel>source</fieldForLabel>
              <fieldForValue>source</fieldForValue>
              <search>
                <query>sourcetype=ROI 
         | where source like "GS01%" OR source like "CIS%" OR source like "CS%" OR source like "BoldChat%" OR source like "EC%" OR source like "ED%" OR source like "EIT%"OR source like "GPT%" OR source like "GS%" 
         | eval source=substr('source',1,5) | stats count by source</query>
                <earliest>0</earliest>
                <latest></latest>
              </search>
              <choice value="">ALL</choice>
              <delimiter> OR </delimiter>
              <prefix>(</prefix>
              <suffix>)</suffix>
              <valuePrefix>source like "</valuePrefix>
              <valueSuffix>"</valueSuffix>
              <default>ALL</default>
              <initialValue>ALL</initialValue>
            </input>

And changed the panel query as sourcetype=* | where $source$

Even now the results are not as expected. Only when selecting ALL 2 results appear which is wrong. And others do not return any result.

Please help!

Thanks
Maria Arokiaraj

micahkemp · ‎02-06-2018

Looking at this further on a run anywhere dashboard, you need to include config such as:

      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>source="</valuePrefix>
      <valueSuffix>"</valueSuffix>

To fully craft your search to look like:

(source="source1" OR source="source2")

My entire input looks like this:

    <input type="checkbox" token="source" searchWhenChanged="true">
      <label>Source</label>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index=_* | stats count by source</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="*">ALL</choice>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>source="</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>

And in your search for the pane, your query would look like:

<query>index=_* $source$ | stats count</query>

Note it's not source=$source$, as $source$ already addes the source= component to each selected option.

maria2691 · ‎02-06-2018

Hello @micahkemp

I have a restriction here to display some set of sources and only their first five characters. Hence I have updated the source for the checkbox like below.

 <input type="checkbox" token="source" searchWhenChanged="true">
              <label>Source</label>
              <fieldForLabel>source</fieldForLabel>
              <fieldForValue>source</fieldForValue>
              <search>
                <query>sourcetype=ROI 
         | where source like "GS01%" OR source like "CIS%" OR source like "CS%" OR source like "BoldChat%" OR source like "EC%" OR source like "ED%" OR source like "EIT%"OR source like "GPT%" OR source like "GS%" 
         | eval source=substr('source',1,5) | stats count by source</query>
                <earliest>0</earliest>
                <latest></latest>
              </search>
              <choice value="">ALL</choice>
              <delimiter> OR </delimiter>
              <prefix>(</prefix>
              <suffix>)</suffix>
              <valuePrefix>source like "</valuePrefix>
              <valueSuffix>"</valueSuffix>
              <default>ALL</default>
              <initialValue>ALL</initialValue>
            </input>

And changed the search query for panels like sourcetype=* | where $source$.

However I get result(wrong one) only when I select ALL. Selecting other options not even returning results.

Please help!

Thanks

micahkemp · ‎02-06-2018

Add in a % on your valueSuffix line:

<valueSuffix>%"</valueSuffix>

And make sure your search uses | where $source$

micahkemp · ‎02-06-2018

I wonder if it could be as simple as missing a space after the OR on line 15.

maria2691 · ‎02-06-2018

Tried adding a space after OR, @micahkemp. No luck 😞

maria2691 · ‎02-06-2018

Hello @mayurr98, @micahkemp, @somesoni2

Can any of you help me with this question?

Thanks
Maria Arokiaraj

Why is the Checkbox Input Filter Source in my dashboard not giving me results when making multiple selections?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases