topic How to implement a logic to build dashboard using the token as a common input field for all the panels? in Dashboards & Visualizations https://community.splunk.com/t5/Dashboards-Visualizations/How-to-implement-a-logic-to-build-dashboard-using-the-token-as-a/m-p/429253#M28277 <P>Hi All,<BR /> Currently, I have been requested to build a dashboard to pull the IP address information from various sources of an index.<BR /> Based on the requirement, I had created a two common input field (Text input and Time picker input) using the token to sync the value to all the panels.</P> <P>Dashboard Panel output Details:<BR /> 1) Host Name (DNS resolved lookup) <BR /> 2) DNS queries for this IP address<BR /> 3) DHCP history for this IP address<BR /> 4) Firewall log for this IP address <BR /> 5) Proxy log for this IP address <BR /> 6) Citrix connection for this IP address</P> <P>All the above dashboard panels share different index details but they have these one field common "src".</P> <P>Challenge: using the common field "src" I have passed the token value but I am finding it difficult to get the output for all the six dashboard panels.</P> <P>EXample:</P> <P>Suppose if the IP address is 10.140.20.22, when this applied in the input token and filter with time picker, I am getting the output to some of the dashboard panels, for other dashboards it shows no result found.</P> <P>Query Details:<BR /> Dashboard 1:</P> <PRE><CODE>index=network sourcetype=infoblox:network:dhcp src="$IP$" | dedup src | lookup dnslookup clientip as src OUTPUT clienthost as Hostname | table Hostname </CODE></PRE> <P>Dashboard 5:</P> <PRE><CODE>index=application sourcetype=citrix:netscaler:syslog | rex field=src "(?(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}))" | search src="$IP$" | rename src as Source |table Source Destination NatIP Vserver dvc </CODE></PRE> <P>In this panel, I am getting no result found. </P> <P>Exact requirement: </P> <P>Need to know whether the logic is correct by taking the common field as "SRC" and passing the input value to this field. </P> <P>Kindly guide me on this.</P> Tue, 29 May 2018 05:59:28 GMT Hemnaath 2018-05-29T05:59:28Z How to implement a logic to build dashboard using the token as a common input field for all the panels? https://community.splunk.com/t5/Dashboards-Visualizations/How-to-implement-a-logic-to-build-dashboard-using-the-token-as-a/m-p/429253#M28277 <P>Hi All,<BR /> Currently, I have been requested to build a dashboard to pull the IP address information from various sources of an index.<BR /> Based on the requirement, I had created a two common input field (Text input and Time picker input) using the token to sync the value to all the panels.</P> <P>Dashboard Panel output Details:<BR /> 1) Host Name (DNS resolved lookup) <BR /> 2) DNS queries for this IP address<BR /> 3) DHCP history for this IP address<BR /> 4) Firewall log for this IP address <BR /> 5) Proxy log for this IP address <BR /> 6) Citrix connection for this IP address</P> <P>All the above dashboard panels share different index details but they have these one field common "src".</P> <P>Challenge: using the common field "src" I have passed the token value but I am finding it difficult to get the output for all the six dashboard panels.</P> <P>EXample:</P> <P>Suppose if the IP address is 10.140.20.22, when this applied in the input token and filter with time picker, I am getting the output to some of the dashboard panels, for other dashboards it shows no result found.</P> <P>Query Details:<BR /> Dashboard 1:</P> <PRE><CODE>index=network sourcetype=infoblox:network:dhcp src="$IP$" | dedup src | lookup dnslookup clientip as src OUTPUT clienthost as Hostname | table Hostname </CODE></PRE> <P>Dashboard 5:</P> <PRE><CODE>index=application sourcetype=citrix:netscaler:syslog | rex field=src "(?(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}))" | search src="$IP$" | rename src as Source |table Source Destination NatIP Vserver dvc </CODE></PRE> <P>In this panel, I am getting no result found. </P> <P>Exact requirement: </P> <P>Need to know whether the logic is correct by taking the common field as "SRC" and passing the input value to this field. </P> <P>Kindly guide me on this.</P> Tue, 29 May 2018 05:59:28 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-implement-a-logic-to-build-dashboard-using-the-token-as-a/m-p/429253#M28277 Hemnaath 2018-05-29T05:59:28Z Re: How to implement a logic to build dashboard using the token as a common input field for all the panels? https://community.splunk.com/t5/Dashboards-Visualizations/How-to-implement-a-logic-to-build-dashboard-using-the-token-as-a/m-p/429254#M28278 <P>Hey,</P> <P>your regex/rex is broken.</P> <P>You use <CODE>rex field=src "(?(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})).</CODE><BR /> When you put that regex into regex101.com, <A href="https://regex101.com/r/940sMz/1">you'll see it's not valid</A>.</P> <P>So, let's start by fixing the regex - use <CODE>rex "(?&lt;src&gt;(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3}))</CODE>.</P> <P>I also removed the <CODE>src=field</CODE>, because that does tell <CODE>rex</CODE> in which field to search, not to which field to extract to.<BR /> You most likely want to use in the complete event (which would be <CODE>field=_raw</CODE>, which is also the default for <CODE>rex</CODE>).</P> <P>So, the line above should properly extract the IP address to the src field, and you should be able to search for it with your token.</P> <P>Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 May 2018 07:03:00 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-implement-a-logic-to-build-dashboard-using-the-token-as-a/m-p/429254#M28278 xpac 2018-05-29T07:03:00Z