topic Re: Input multiple values into a dashboard input in Splunk Search

Input multiple values into a dashboard input

jkalra — Tue, 29 Sep 2020 20:08:30 GMT

I want to be able to pass multiple values to a field in a dashboard "Endpoint" . Like in the Endpoint Input I want to be able to pass "hostname1 , hostname2 , hostname3" . I dont want to be creating a drilldown. It should be a plain text input with either a "," delimiter or space. Following is my XML code.

  <label>Endpoint</label>
  <prefix>"</prefix>
  <suffix>*"</suffix>
    </input>


<panel>
  <title>Endpoint Logging Status</title>
  <table>
    <search>
      <query>""index=xyz sourcetype=xyz orig_index=$idx_name$ orig_sourcetype=$st_name$ orig_sourcetype!=stash orig_index!=scratch_01 orig_index!=hpam orig_index!=bsm orig_index!=avs orig_index!=itim orig_index!=ists orig_index!=clm_reports

orig_index!=complianceverification orig_host!=xyz orig_host=$splunk_host$ |[search index=xyz sourcetype=xyz orig_index=$idx_name$ orig_sourcetype=$st_name$ orig_sourcetype!=stash orig_index!=scratch_01 orig_index!=hpam orig_index!=bsm orig_index!=avs orig_index!=itim orig_index!=ists orig_index!=clm_reports
orig_index!=complianceverification orig_host!=xyz orig_host=$splunk_host$ |eval orig_host="$splunk_host$" | makemv orig_host delim="," | mvexpand orig_host | rex field=orig_host mode=sed "s/^\s+//g s/\s+$//g"] | rename orig_host AS host |stats max(lastTime) as lastTime by orig_index host orig_sourcetype | lookup xyz_asset_ownership_wildcard src_host AS host OUTPUTNEW organization_unit | lookup xyz_asset_ownership_wildcard src_ip AS host OUTPUTNEW organization_unit | eval organization_unit=coalesce(organization_unit, "UNKNOWN") | search organization_unit=$coe$ | eval age = now() - lastTime | eval status=case(age < 14400,"Active",age < 86400,"INACTIVE (4-24hrs)",age < 259200,"INACTIVE (1-3days)",age < 604800,"INACTIVE (3-7days)",age < 2592000,"INACTIVE (7-30days)",age >= 2592000,"INACTIVE > 30days") | convert ctime(lastTime) | stats list(lastTime) AS data_last_seen, list(orig_index) AS index, list(orig_sourcetype) AS sourcetype, values(organization_unit) AS "COE", list(status) AS status by host""
$time.earliest$
$time.latest$

Re: Input multiple values into a dashboard input

Sukisen1981 — Sat, 23 Jun 2018 11:39:11 GMT

Hi,

Hmm interesting use case. How is the user going to select a value displayed in a text input?
I mean say you have something like - hostname1,hostname2,hostname3 displayed within a single text box, how is a selection on hostname going to be made by the user?
You say that you do not need a drilldown, which I assume to mean that user selection on hostname does not have any processing on the panel based on the selected hostname?
If so, then what is the point of having an input token? I am not understanding your use case.
What i do suggest is using the multiselect option - having something like index=<your index>| dedup host in the search query inside your token
or
have a drop down token and have your search as something like - index="your index"| stats values(host) as hostname | eval hostname=mvjoin(hostname,",") AND select your inital and default value in the input token settings to this one field.
Since, we are joining all available host values into 1 single field the result will always be one single field with all hostanmes separated by a comma delimiter. Since we select this one field as both initial and default values in the input token the dashboard will always have only this one value

Re: Input multiple values into a dashboard input

jkalra — Tue, 26 Jun 2018 14:35:54 GMT

Hi Sukisen,

The user will not select a value. He/she will input something like in the Endpoint field on the dashboard. I will try multiselect and see if it helps