topic Re: Change search depending on dropdown in Dashboards & Visualizations

Change search depending on dropdown

chrispounds — Thu, 25 Apr 2019 15:11:43 GMT

Hi peeps,

I'd like to add a dropdown to my dashboard panel, which populates with "src" for the user to select, then based on what "src" is selected, it changes the panels below it. How easy is this to achieve? I've attached my current XML, in case this helps anyone understand what i'd like to achieve!

I've tried playing with the dropdown input in the UI, but i can't seem to get my head around what to put in what boxes!

Many thanks,
Chris

<form theme="dark">
  <label>Humbert root Logins</label>
  <description>Track Root logins on humbert.ex.ac.uk</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
<panel>
  <title>Root Logins</title>
  <single>
    <search>
      <query>index=osnixsec src=humber.ex.ac.uk user=root AND action=failure 
| stats count</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
      <refresh>5m</refresh>
      <refreshType>delay</refreshType>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="drilldown">all</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">["0x53a051","0x006d9c","0xf8be34","0xdc4e41"]</option>
    <option name="rangeValues">[0,30,50]</option>
    <option name="refresh.display">progressbar</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="underLabel">Number of attempted logins</option>
    <option name="unitPosition">after</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
  </single>
</panel>
</row>
<row>
<panel>
  <title>Destination Root attempts from Humbert</title>
  <table>
    <search>
      <query>index=osnixsec src=humbert.ex.ac.uk user=root AND action=failure  
  | stats count by dest 
  | sort -count 
  | rename dest as "Destination Host"</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
      <refresh>5m</refresh>
      <refreshType>delay</refreshType>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Re: Change search depending on dropdown

adonio — Fri, 26 Apr 2019 02:14:28 GMT

Use the code below to understand how to "tokenize" the source field
for your code, replace the search which generates the tokens with index=osnixsec src=* | stats count by src | table src

<form>
  <label>Dropdown Source</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="SRC">
      <label>Chhose Source</label>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index= _internal source=* 
| stats count by source
| table source</query>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">ALL</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index = _internal source=$SRC$ | stats count by source</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <chart>
        <title>Over Time</title>
        <search>
          <query>index=_internal source="$SRC$" | timechart count by source</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>

hope it helps

Re: Change search depending on dropdown

chrispounds — Fri, 26 Apr 2019 09:24:40 GMT

Hi adonio,

Thank you - so i implemented that into a test dashboard and changed the query's to match mine. But when i select the dropdown, all i get is the ALL value, not a list of available "src" values, do i need to adjust the choice value tag also?

Many thanks for your help!

Re: Change search depending on dropdown

adonio — Fri, 26 Apr 2019 11:48:31 GMT

<label>Dropdown Source</label>
   <fieldset submitButton="false">
     <input type="dropdown" token="SRC">
       <label>Chhose Source</label>
       <fieldForLabel>src</fieldForLabel>
       <fieldForValue>src</fieldForValue>
       <search>
         <query>index= index=osnixsec src=* | stats count by src | table src</query>
         <earliest>-4h@m</earliest>
         <latest>now</latest>
       </search>
       <choice value="*">ALL</choice>
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
   </fieldset>

Re: Change search depending on dropdown

chrispounds — Fri, 26 Apr 2019 12:41:01 GMT

thanks adonio for your assistance, this doesn't actually give me a list in the dropdown. All it contains is "ALL" in capitals and doesn't list available src's to select. The queries run ok, but the dropdown isn't populating with the results from "src"

Many thanks,

Re: Change search depending on dropdown

adonio — Fri, 26 Apr 2019 12:45:22 GMT

i see the problem
look at the query i put - it has index= index=osnixsec src=*
itll break your search
remove the first index=

so you will only have:

<query>index=osnixsec src=* | stats count by src | table src</query>

Re: Change search depending on dropdown

chrispounds — Fri, 26 Apr 2019 12:53:45 GMT

Yes that got it! fantastic adonio thank you! I should of proof read it also, lesson learnt! 😄