So I am trying to create a searchbox that when text is entered it appends what is searched into each panel on the dashboard.
For example I want to be able to type in a username and have every panel change it's results to uniquely show for the username that was entered.
Please help, thank you.
Add a text input, set the token name for instance to user and set the default and initial values to *
.
In each of your dashboard search queries, add something like: | search user=$user$
. Of course highly dependent on the exact fieldname that holds the username in your case, but the concept is the same.
There is one small caveat with doing this: it will prevent results without a user value from ever showing up. If you want to show also results without a username when no search is entered, then it gets a bit more complicated.
Hi @bryceweb22,
You can find an example here in the documentation on how to configure a text input :
https://docs.splunk.com/Documentation/Splunk/latest/Viz/FormEditor#Text_input
An example of input and how to use it here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/Buildandeditforms#Basic_form_example
Here's a tested simple example that takes a value from the text field and shows it in a table, you can copy paste this and use it:
<form>
<label>My New Dashboard</label>
<fieldset submitButton="false">
<input type="text" token="Text_Token">
<label>Text search</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="time" token="field2">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Testing token</title>
<search>
<query>| makeresults | eval A="$Text_Token$"</query>
<earliest>$field2.earliest$</earliest>
<latest>$field2.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Let me know if that helps. In the example above the time applied is always from the time picker, so you can modify that from there if needed.
Cheers,
David
Add a text input, set the token name for instance to user and set the default and initial values to *
.
In each of your dashboard search queries, add something like: | search user=$user$
. Of course highly dependent on the exact fieldname that holds the username in your case, but the concept is the same.
There is one small caveat with doing this: it will prevent results without a user value from ever showing up. If you want to show also results without a username when no search is entered, then it gets a bit more complicated.
I have done all this and I just get no results found.
Then please share your dashboard xml (or at least the relevant parts of it).
<input type="time" token="TimeRangePkr" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="user" searchWhenChanged="true">
<label>Enter ID</label>
index=* sourcetype=* host=*
| rex ".*\s(?P<Time_Taken>\d+)$$$$"
| stats count by Time_Taken
| sort 20 -Time_Taken
| search user=$user$
After | stats count by Time_Taken
you don't have a field called user. So in your case, add the user="$user$"
to the first line of your search, rather than in a separate search command at the bottom.
gotcha, well it still isn't working I think because when the username is being passed into $user$ it has user= before it and I just need the username to show up not the user= before it.
Got it to work, really appreciate the help and the reasonable response times!
Also how far back does this search?