topic Create Dynamic Drop-down in Splunk Search

Create Dynamic Drop-down

CoryC — Mon, 11 Mar 2024 21:39:06 GMT

I am trying to create a dashboard to examine group policy processing errors. I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID.

1. How do I create a dynamic drop-down to show the EventIDs (EventCode) returned by the search?

2. I see you can enter a whole new search, but technically that is different than the main search, right? How do I base it on the main search?

3. What are Label (fieldForLabel) and Value (fieldForValue) for? Why are they required?

<form version="1.1" theme="light"> <label>GP Errors</label> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-90m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="Computername"> <label>Computer Name</label> <default>*</default> </input> <input type="dropdown" token="EventID"> <label>Event ID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>EventID</fieldForLabel> <fieldForValue>EventID</fieldForValue> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error | stats values(EventCode)</query> <earliest>-90m@m</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <table> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error host=$Computername$ EventCode=$EventID$ | table host, EventCode, Message, _time | rename host AS Host, EventCode AS EventID | sort _time desc</query> <earliest>-90m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>

Re: Create Dynamic Drop-down

ITWhisperer — Mon, 11 Mar 2024 23:09:53 GMT

The events returned by the search can have multiple fields,; the fieldsFor... elements defile which fields from the search are used for the label and which is used for the value.

Re: Create Dynamic Drop-down

bowesmana — Tue, 12 Mar 2024 06:02:31 GMT

To make a common search, use a base search that is then used by both other searches. The details will need to be common enough.

Your main table has a search window of 90m - do you expect a large number of events in this data set. This table does not really do any aggregations, so using this as a base search is not really good idea. You would need 3 searches, the base and one for the dropdown and the other for the data table.

See this (untested) and compare it to your dashboard - it fixes your dropdown issue, creates a base search used by the other two searches and they all use the same time picker values.

<form version="1.1" theme="light"> <label>GP Errors</label> <search id="base"> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error | stats count by _time host EventCode Message | rename host AS Host, EventCode AS EventID </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-90m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="Computername"> <label>Computer Name</label> <default>*</default> </input> <input type="dropdown" token="EventID"> <label>Event ID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>EventID</fieldForLabel> <fieldForValue>EventID</fieldForValue> <search base="base"> <query> | stats count by EventID</query> </search> </input> </fieldset> <row> <panel> <table> <search base="base"> <query> search Host=$Computername$ EventID=$EventID$ | table Host, EventID, Message, _time count | sort - _time</query> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>

Note that you also need to consider dependencies - should the list of eventids in the dropdown be ones that are found only for the entered computer? If not, then when you select an ID it may not exist.

Re: Create Dynamic Drop-down

bowesmana — Tue, 12 Mar 2024 06:03:06 GMT

See this for base search documentation

https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/Savedsearches

Re: Create Dynamic Drop-down

CoryC — Thu, 14 Mar 2024 18:44:34 GMT

Thank you, This worked for what I asked for. Group Policy runs every 90-120 minutes so this should return most PCs with errors without duplicating them. We have about 1000 computers and seem to have about 100 with errors, so this will return about 100 results for the 90 min. 90 min is all I really need to search, maybe 120, but I chose 90. I can dig into the data more after getting these quick results. I did realize I probably need all results, not just errors if I Enter a PC, but I can work on that. I think if I enter a PC, I want all EventIDs, and if I enter an EventID, I want all PCs with that EventID.

Thank you again. This is working as asked.