不同面板的条件令牌取决于仪表板 Splunk 中的令牌输入

Question

我正在尝试配置一个仪表板 Splunk，它使用令牌的输入来选择面板，并针对每个不同的令牌值进行特定搜索。

我想做的是类似的事情，我有这个输入：

 </input>
    <input type="dropdown" token="subtype">
      <label>Subtype</label>
      <default>ha</default>
      <choice value="ha">HA</choice>
      <choice value="vpn">VPN</choice>
      <choice value="system">SYSTEME</choice>
      <initialValue>ha</initialValue>
    </input>

我想创建一个不同的面板以根据令牌 $subtype$ 的值显示在仪表板中：

if $subtype$=ha
 <**panel 1**>
      <table>
        <search>
          <query>*Query for info HA*</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
if $subtype$=vpn
 <**panel 2**>
      <table>
        <search>
          <query>*Query for info vpn*</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
if $subtype$=system
 <**panel 3**>
      <table>
        <search>
          <query>*Query for info system*</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>

我看到一些使用向下钻取的解决方案，但我找不到如何直接使用令牌输入来完成它。

Answer 1

在

<input>

元素中设置标记，以控制应显示哪个面板。每个

<panel>

都有一个

depends

选项，只有在设置了指定的标记时才显示面板。

<form version="1.1" theme="dark">
  <label>Systeme Fortigate</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="subtype">
      <label>Subtype</label>
      <default>ha</default>
      <choice value="ha">HA</choice>
      <choice value="vpn">VPN</choice>
      <choice value="system">SYSTEME</choice>
      <initialValue>ha</initialValue>
      <change>
      <condition value="ha">
        <set token="show_HA_panel">1</set>
        <unset token="show_VPN_panel"/>
        <unset token="show_SYSTEME_panel"/>
      </condition>
      <condition value="vpn">
        <unset token="show_HA_panel"/>
        <set token="show_VPN_panel">1</set>
        <unset token="show_SYSTEME_panel"/>
      </condition>
      <condition value="system">
        <unset token="show_HA_panel"/>
        <unset token="show_VPN_panel"/>
        <set token="show_SYSTEME_panel">1</set>
      </condition>
      </change>
    </input>
    <input type="text" token="search">
      <label>Search</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel depends="$show_HA_panel$">
      <table>
        <title>HA Panel</title>
        <search>
          <query>index="fortigate" sourcetype=fortigate_event  subtype="$subtype$" $search$ 
| table  _time, level, action, devname, logdesc, sync_status, sync_type</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_VPN_panel$">
      <table>
        <title>VPN Panel</title>
        <search>
          <query>index="fortigate" sourcetype=fortigate_event  subtype="$subtype$" $search$ 
| table  _time, level, log_action, logdesc, role, status, tunnelname</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_SYSTEME_panel$">
      <table>
        <title>SYSTEME Panel</title>
        <search>
          <query>index="fortigate" sourcetype=fortigate_event  subtype="$subtype$" $search$ 
| table  _time, level, action, object_attrs, user,logdesc, msg</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Answer 2

谢谢，我按照你的建议做了，这是我的仪表板，我没有任何代码错误，但我没有看到任何提交，但是如果我在提交后尝试编辑，我可以看到 3 个面板正在加载资讯

<form version="1.1" theme="dark">
  <label>Systeme Fortigate</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="subtype">
      <label>Subtype</label>
      <default>ha</default>
      <choice value="ha">HA</choice>
      <choice value="vpn">VPN</choice>
      <choice value="system">SYSTEME</choice>
      <initialValue>ha</initialValue>
      <change>
      <condition value="HA">
        <set token="show_HA_panel">1</set>
        <unset token="show_VPN_panel"/>
        <unset token="show_SYSTEME_panel"/>
      </condition>
      <condition value="VPN">
        <unset token="show_HA_panel"/>
        <set token="show_VPN_panel">1</set>
        <unset token="show_SYSTEME_panel"/>
      </condition>
      <condition value="SYSTEME">
        <unset token="show_HA_panel"/>
        <unset token="show_VPN_panel"/>
        <set token="show_SYSTEME_panel">1</set>
      </condition>
      </change>
    </input>
    <input type="text" token="search">
      <label>Search</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel depends="$show_HA_panel$">
      <table>
        <search>
          <query>index="fortigate" sourcetype=fortigate_event  subtype="$subtype$" $search$ 
| table  _time, level, action, devname, logdesc, sync_status, sync_type</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_VPN_panel$">
      <table>
        <search>
          <query>index="fortigate" sourcetype=fortigate_event  subtype="$subtype$" $search$ 
| table  _time, level, log_action, logdesc, role, status, tunnelname</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_SYSTEME_panel$">
      <table>
        <search>
          <query>index="fortigate" sourcetype=fortigate_event  subtype="$subtype$" $search$ 
| table  _time, level, action, object_attrs, user,logdesc, msg</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

有什么想法吗？

不同面板的条件令牌取决于仪表板 Splunk 中的令牌输入

问题描述投票：0回答：2

2个回答

最新问题

不同面板的条件令牌取决于仪表板 Splunk 中的令牌输入

问题描述 投票：0回答：2

2个回答

最新问题

问题描述投票：0回答：2