Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a conditional search where certain search strings are run based on the radio button input chosen by a user?

purva13
Explorer
‎07-09-2015 04:02 PM

I am new to Splunk and trying to know more about it. I have a dashboard where I am taking inputs from user in the form of 'radio' buttons.
Now, I want my information to be filtered according to the user input. My radio buttons are Summary and details.

xxxx | eval e1 = if("$INFO or DEBUG$"=="INFO", search string 1, search string 2) | sort _time

If the user's input is INFO, it should append search string 1 into my original 'xxxx' query and if not, then search string 2 should be appended in original query. But this code is just creating a field e1 which has correct search string according to my if statement. How can I do this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎07-09-2015 06:57 PM

Hi purva13,

You cannot do it this way, but you can do it in a different way. You can assign prefix and suffix to the radio buttons and use different values this way. Copy the below pasted XML into a new dashboard and it will show you how it can be done.

<form>
  <label>run search based on button</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="radio" token="field1" searchWhenChanged="true">
      <label>what to search?</label>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <choice value="*">all</choice>
      <choice value="splunkd">splunkd</choice>
      <choice value="splunkd_access">splunkd_access</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Search being run: index=_internal $$field1$$</title>
      <event>
        <search>
          <query>index=_internal $field1$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

Hope this helps and gets you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎07-09-2015 06:57 PM

Hi purva13,

You cannot do it this way, but you can do it in a different way. You can assign prefix and suffix to the radio buttons and use different values this way. Copy the below pasted XML into a new dashboard and it will show you how it can be done.

<form>
  <label>run search based on button</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="radio" token="field1" searchWhenChanged="true">
      <label>what to search?</label>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <choice value="*">all</choice>
      <choice value="splunkd">splunkd</choice>
      <choice value="splunkd_access">splunkd_access</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Search being run: index=_internal $$field1$$</title>
      <event>
        <search>
          <query>index=_internal $field1$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>

Hope this helps and gets you started ...

cheers, MuS

Reply
Solved! Jump to solution

purva13
Explorer
‎07-10-2015 10:52 AM

Hey, that sounds interesting. But while trying that I am getting an error

XML Syntax Error: Cannot find object mapper for panel type: title
0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-09-2015 07:05 PM

Just to add, you can place search strings as well into the choice option like this:

<choice value="_audit">search index=_internal</choice>
<choice value="_internal">search index=_audit</choice>

and using a query option like this:

<query>$field1$</query>
0 Karma
Reply
Solved! Jump to solution

purva13
Explorer
‎07-10-2015 02:36 PM

But I don't want the query to be displayed to users. And I want it to be appended to original query.
Also, in the answer with suffix and prefix, are you talking about populating search?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...