Drop down in Search Result

alexspunkshell — Sun, 07 Mar 2021 04:19:38 GMT

I want to have drop down in my Dashboard's search result like "New Alert" "In-Progress" "Resolved" in Status field. Please help here.

Re: Drop down in Search Result

ITWhisperer — Sun, 07 Mar 2021 07:43:15 GMT

No idea what you are asking for here - there is no Status field in your image and the values you mentioned don't appear either. Where would a dropdown fit into this scenario? What would be the purpose of the dropdown? What have you tried so far?

Re: Drop down in Search Result

gcusello — Sun, 07 Mar 2021 09:28:40 GMT

Hi @alexspunkshell,

it's not possible to add a status field to your events to trace the life of the alert, but you could save the results of an alert in a lookup and manually change the status of one of your results using the Lookup Editor.

It's also possible to modify the lookup using a JS or a Splunk Search but it isn't so easy and difficoult to describe in an answer.

this is a dashboard the I used to create a simple Case Manager that you could use as example to manage your Cases:

<form> <label>Manage New Cases</label> <row> <panel> <table id="master"> <title>Total New Cases = $server_count$</title> <search> <query> | inputlookup my_cases WHERE Status="Open" | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key | table key Time Alert_Name Description Status Notes User_Name TimeStamp </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <progress> <set token="server_count">$job.resultCount$</set> </progress> <cancelled> <unset token="server_count"></unset> </cancelled> </search> <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="key">$row.key$</set> <set token="timestamp">$row.TimeStamp$</set> <set token="alertname">$row.Alert_Name$</set> <set token="description">$row.Description$</set> <set token="status">$row.Status$</set> <set token="notes">$row.Notes$</set> <set token="username">$row.User$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Modify Row</title> <input type="dropdown" token="status_to_update"> <label>Status</label> <default>$status$</default> <search> <query/> </search> <choice value="Open">Open</choice> <choice value="Closed">Closed</choice> <choice value="Work-in-progress">Work-in-progress</choice> <choice value="Escalation">Escalation</choice> <choice value="Stand-By">Stand-By</choice> </input> <input type="text" token="notes_to_update"> <label>Add Notes</label> <default>$notes$</default> </input> <table id="detail" depends="$key$"> <title>Row to modify</title> <search> <query> | makeresults 1 | eval key="$key$", TimeStamp="$timestamp$", Alert_Name="$alertname$", Description="$description$", Status="Work-in-progress", Notes="$notes_to_update$", Time=strftime($timestamp$,"%d/%m/%Y %H:%M:%S") | appendcols [ | rest /services/authentication/current-context | rename username AS User_Name | fields User_Name] | table key Time TimeStamp Alert_Name Description Status Notes User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="status_updated">$row.Status$</set> <set token="notes_updated">$row.Notes$</set> <set token="username_updated">$row.User_Name$</set> </drilldown> </table> </panel> </row> <row> <panel> <table id="detail2" depends="$status_to_update$"> <title>Modified Lookup row</title> <search> <query> | inputlookup my_cases | eval Status=if(_key="$key$","$status_updated$",Status), Notes=if(_key="$key$","$notes_updated$",Notes), User_Name=if(_key="$key$","$username_updated$",User_Name) | search _key="$key$" | outputlookup my_cases append=true | eval key=_key | collect addtime=true index=summary_alerts | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key | table key Time TimeStamp Alert_Name Description Status Notes User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>

in few words:

I list all the cases to assign,
I choose the one to take in charge clicking on a record,
I give the values the the fields (account name, staus and notes,
I save the given values in the row of the lookup (KV Store).

As I said it isn't so easy!

Ciao.

Giuseppe

Re: Drop down in Search Result

alexspunkshell — Sun, 07 Mar 2021 16:59:32 GMT

@gcusello @ITWhisperer Thanks for your reply.

In index=graphsecurityalert I am getting the logs for alerts.

In my dashboard I want a dropdown for the alert's status like "New Alert" "In Progress" "Resolved" "Dismissed".

I need to change the status of the alert upon investigation. Could u please help here.

Re: Drop down in Search Result

gcusello — Mon, 08 Mar 2021 07:25:22 GMT

Hi @alexspunkshell,

to have the dropdown in each row you have to use JavaScripts.

I cannot help you!

but see my dashboard.

Ciao.

Giuseppe

topic Re: Drop down in Search Result in Dashboards & Visualizations

Drop down in Search Result

Re: Drop down in Search Result

Re: Drop down in Search Result

Re: Drop down in Search Result

Re: Drop down in Search Result