我在 Splunk 8.1 上尝试创建动态仪表板。我正在尝试创建一个multisearch查询,其搜索将基于用户单击的复选框。
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="userinput1">
<label>User Input 1</label>
</input>
<input type="text" token="userinput2">
<label>User Input 2</label>
</input>
<input type="checkbox" token="indexesSelected" searchWhenChanged="true">
<label>Indexes</label>
<choice value="[search index=index1 $userinput1$ $userinput2$]">Index 1</choice>
<choice value="[search index=index2 $userinput1$ $userinput2$]">Index 2</choice>
<default></default>
<initialValue></initialValue>
<delimiter> </delimiter>
<prefix>| multisearch [eval test1="test1"] [eval test2="test2"] </prefix>
</input>
搜索部分如下所示:
<search>
<query>$indexesSelected$
| table _time, index, field1, field2, field3, field4
| sort Time
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
这按预期工作,只是最终查询如下所示:
| multisearch [eval test1="test1"] [eval test2="test2"]
[search index=index1 $userinput1$ $userinput2$]
[search index=index2 $userinput1$ $userinput2$]
如何制作这些$userinput1$并$userinput2$从仪表板中的用户输入转换为它们的令牌值,而不是作为文字字符串。
我尝试使用<change>标签来使用eval并set基于<condition>用户选择的标签,但eval不允许令牌值并仅用文字字符串替换。像这样的东西:
<change>
<condition match="like($indexesSelected$,"%index1%")">
<eval token="finalQuery">replace($indexesSelected$,"index1", "[search index=index1 $userinput1$ $userinput2$]")</eval>
</condition>
<condition match="like($indexesSelected$,"%index2%")">
<eval token="finalQuery">replace($indexesSelected$,"index2", "[search index=index2 $userinput1$ $userinput2$]")</eval>
</condition>
</change>