Re: Checkbox usage in splunk dashboard

bharathkumarnec · ‎12-27-2017

Hi All,

I am using 5 checkboxes and when i select any of the checkbox then only corresponding chart will be visible, challenge here is even though i select the checkbox or not, query for all the 5 checkboxes are running backend.

So checkbox is only giving me the option of hide & visibility.

Kindly help me out if this is the purpose of the checkbox and also is there anyway that only when selected a chart query has to run.

Regards,
BK

kamlesh_vaghela · ‎12-27-2017

Hi @bharathkumarnec,

Can you please try this dashboard XML?

<form>
  <label>Search on click of Check Box </label>
  <fieldset submitButton="false">
    <input type="checkbox" token="tkn_chk1">
      <label>Check box 1</label>
      <choice value="true">Chk1</choice>
      <change>
        <condition value="true">
          <set token="chkA"></set>
        </condition>
        <condition value="*">
          <unset token="chkA"></unset>
        </condition>
      </change>
    </input>
    <input type="checkbox" token="tkn_chk2">
      <label>Check box 2</label>
      <choice value="true">Chk2</choice>
      <change>
        <condition value="true">
          <set token="chkB"></set>
        </condition>
        <condition value="*">
          <unset token="chkB"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$chkA$">
      <table>
        <title>Panel 1</title>
        <search>
          <query>index=_internal  $chkA$ | stats count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$chkB$">
      <table>
        <title>Panel 2</title>
        <search>
          <query>index=_internal  $chkB$ | stats count by source</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Thanks

bharathkumarnec · ‎12-28-2017

So how will be the token $chkA$ & $chkB$ will take affect to my queries??

micahkemp · ‎12-27-2017

You can use some trickery to accomplish what you're looking for.

Try having your checkbox set a value that is essentially a "no-op" in your search. For example, if your panel runs a typical indexed search like index=main sourcetype=firewall src=$src$ dest=$dest$, you could have your checkbox set its value to the implied search command. The search would then look like this: $checkbox$ index=main sourcetype=firewall src=$src$ dest=$dest$. When your checkbox is selected the $checkbox$ token will get replaced with the search command and the search will kick off.

The key to having the search not running in the background is to make sure that the query contains a token that isn't defined until your checkbox is selected.

Checkbox usage in splunk dashboard

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...