topic Re: How to create dashboard which takes multiple(bulk) inputs ? in Splunk Search

How to create dashboard which takes multiple(bulk) inputs ?

splunkerer — Fri, 04 Jun 2021 07:51:27 GMT

Hello,

I am creating a dashboard, no matter which input can be used, but need is to paste multiple input into dashboard input and search them in a certain index.

for example:
I want to search comma delimited IP addresses such as

1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 --->input format is not a case, I can provide different formatted multiple data.

I want to paste these into input ( no matter which kind) and these will be formatted and created a search in the panel like below.

index=traffic src=1.1.1.1 OR src=2.2.2.2 OR src=3.3.3.3 OR src=4.4.4.4
| table _time src dst port

Please recommend how I can do it.

Thanks,

Re: How to create dashboard which takes multiple(bulk) inputs ?

kamlesh_vaghela — Fri, 04 Jun 2021 07:51:11 GMT

@splunkerer

Can you please try this?

My Sample Search :

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: How to create dashboard which takes multiple(bulk) inputs ?

splunkerer — Fri, 04 Jun 2021 08:23:09 GMT

Thanks for quick answer, It takes first IP, but not second IP unfortunately. Any idea about the issue?

| table _time src dst port

Re: How to create dashboard which takes multiple(bulk) inputs ?

kamlesh_vaghela — Fri, 04 Jun 2021 08:30:28 GMT

@splunkerer

It is working for me. Please refer my sample XML.

<form> <label>mutiliput</label> <fieldset submitButton="false"> <input type="text" token="field1"> <label>field1</label> <default>*</default> </input> </fieldset> <row> <panel> <table> <search> <query>index="_internal" [| makeresults | eval date_second="$field1$" | eval date_second=split(date_second,",") | mvexpand date_second | table date_second] | stats count by date_second</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>

Still you to found issue then please share your sample XML as well.

Thanks

Re: How to create dashboard which takes multiple(bulk) inputs ?

splunkerer — Fri, 04 Jun 2021 08:51:23 GMT

same unfortunately, the first value is taken but not rest of them.

<form>
<label>mutiliput</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>field1</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="traffic" [| makeresults | eval src="$field1$" | eval src=split(src,",") | mvexpand src | table src] | table src, dst</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

Re: How to create dashboard which takes multiple(bulk) inputs ?

kamlesh_vaghela — Fri, 04 Jun 2021 09:44:06 GMT

@splunkerer

Can you please try this?

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: How to create dashboard which takes multiple(bulk) inputs ?

splunkerer — Fri, 04 Jun 2021 16:11:02 GMT

Thanks a lot, this is working. In the first try, I provided input with space after the comma, so that is why it was not working.