Splunk dashboard dynamic filter by multiple filter tokens

elend — Wed, 24 Jul 2024 13:29:22 GMT

I created a splunk dashboard that has a lot of filters (multiple dropdowns), and text input with different tokens, and with dynamic tables too. I want make it dynamic foreach filter that I choose, but for now it still can't be dynamic for every existing output and filter.
Here my xml:

<form version="1.1" theme="dark"> <label>Dashboard Overview</label> <fieldset submitButton="false"> <input type="time" token="global_time" searchWhenChanged="true"> <label>Select Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="owner" searchWhenChanged="true"> <label>Select Owner</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>owner</fieldForLabel> <fieldForValue>owner</fieldForValue> <search> <query>index=db_warehouse | dedup owner | fields owner | table owner</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="hostname" searchWhenChanged="true"> <label>Select Hostname</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>hostname</fieldForLabel> <fieldForValue>hostname</fieldForValue> <search> <query>index=db_warehouse hostname=$hostname$ owner=$owner$ ipaddress=$ipaddress$ cve=$cve$ cve=$cve$ | dedup hostname | fields hostname | table hostname</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <initialValue>*</initialValue> </input> <input type="dropdown" token="ipaddress" searchWhenChanged="true"> <label>Select by IP Address</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>ipaddress</fieldForLabel> <fieldForValue>dest</fieldForValue> <search> <query>index=db_warehouse | search hostname=$hostname$ owner=$owner$ ipaddress=$ipaddress$ cve=$cve$ | dedup dest | fields dest | table dest</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="text" token="cve"> <label>Search CVE</label> <default>*</default> </input> </fieldset> <table> <title>Detail Information Table</title> <search> <query>index=db_warehouse | fields _time, hostname, dest, mac_address, vulnerability_title, os_version, os_description, severity, cvss_score, last_assessed_for_vulnerabilities, solution_types,cve, owner, dest_category | search hostname=$hostname$ owner=$owner$ ipaddress=$ipaddress$ cve=$cve$ | rename dest as ip, dest_category as category | table _time, hostname, ip, mac_address, vulnerability_title, owner, category, cve, os_version, os_description, severity, cvss_score, last_assessed_for_vulnerabilities, solution_types | dedup hostname</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search>

Is there any reference or solution for this?

Re: Splunk dashboard dynamic filter by multiple filter tokens

ITWhisperer — Wed, 24 Jul 2024 13:57:36 GMT

It is not clear what you are trying to achieve here - you already have your tokens in your table search!

btw, your ipaddress dropdown has a fieldForLabel with is not returned by the search.

Re: Splunk dashboard dynamic filter by multiple filter tokens

elend — Wed, 24 Jul 2024 16:03:42 GMT

sorry if it's not clear,
For example, there is
Hostnames A, B, C
is X owner

Hostnames D, E, F
is the Y owner.

I want each filter to be bound to tokens on other filters. So, for example, if I set the owner filter to value X, the dropdown on Hostname filter only displays A, B, C. Or if I choose hosntname A, the owner filter only show X value, is it possible?

Re: Splunk dashboard dynamic filter by multiple filter tokens

elend — Thu, 25 Jul 2024 12:02:36 GMT

to make it clear about the existing condition. There is a list of hostname & ip that have different owner, also null owner and by default the hostname dropdown only show list hostname that have owner value, and not show the hostname that doesnt have owner. How to refine this?
Following is the related capture:

and this for the search output:

topic Re: Splunk dashboard dynamic filter by multiple filter tokens in Splunk Search

Splunk dashboard dynamic filter by multiple filter tokens

Re: Splunk dashboard dynamic filter by multiple filter tokens

Re: Splunk dashboard dynamic filter by multiple filter tokens

Re: Splunk dashboard dynamic filter by multiple filter tokens