Hi Team,
I created a customized dashboard for my PCI DSS for number 10 requirements.
I have a 2 Drop-down list ( one is for our Server Environment) (one for PCI Requirements 10)
1. On the first Drop-down list - here are the option that I created (ServerEnv1, ServerEnv2, ServerEnv3, ServerEnv4)
2. On the 2nd Drop downlist - (10.2.2, 10.2.3, 10.2.4 , 10.2.5a, 10.2.5b, 10.2.5c)
3. if I choose the on the first drop-down list "ServerEnv1" on the 2nd dropdown list will reflect "10.2.3, 10.2.4 and 10.2.5a) and if choose "ServerEnv2" on the 2nd drop-down list will be "10.2.2" only , then ServerEnv3, ServerEv4 all list on the 2nd drop-down list will be reflected. Hoping you can help me how to construct using XML Command. -- Thanks in Advance --ALLAN
how can i add the lookup that i created per example version_servers_mapping.csv where do i assign this
For lookup, you can find example in this:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/LookupexampleinSplunkWeb
Response with lookup,
in settings>lookups add lookup file
For example i create the csv file version_servers_mapping.csv with content
"servers","versions"
"ServerEnv1","10.2.3,10.2.4,10.2.5a"
"ServerEnv2","10.2.2"
"ServerEnv3","10.2.3,10.2.4,10.2.5a,10.2.2"
"ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2"
And, i used it in the dashboard like:
<form>
<label>test</label>
<fieldset submitButton="false">
<input type="dropdown" token="tokServer" searchWhenChanged="true">
<label>Select Server</label>
<fieldForLabel>servers</fieldForLabel>
<fieldForValue>servers</fieldForValue>
<search>
<query>
| inputlookup version_servers_mapping.csv | table servers
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="version" searchWhenChanged="true">
<label>Select Version</label>
<fieldForLabel>versions</fieldForLabel>
<fieldForValue>versions</fieldForValue>
<search>
<query>| inputlookup version_servers_mapping.csv |search servers="$tokServer$"
| makemv delim="," versions| mvexpand versions
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
</form>
it doesnt work either
if you run | inputlookup version_servers_mapping.csv can you share the result of this query
when I type this on the excel sheet this kind of format
"servers","versions"
"ServerEnv1","10.2.3,10.2.4,10.2.5a"
"ServerEnv2","10.2.2"
"ServerEnv3","10.2.3,10.2.4,10.2.5a,10.2.2"
"ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2"
and when I run the query on the search using |inputlookup version_servers_mapping.csv there was an error message.
if the file not exist you must find "Not result find" and not error.
are create a file .text and change it to csv for example
version_servers_mapping.txt --> version_servers_mapping.csv
it doesn't work either both
@atulod1, can you try this please,
<form>
<label>test</label>
<fieldset submitButton="false">
<input type="dropdown" token="tokServer" searchWhenChanged="true">
<label>Select Server</label>
<fieldForLabel>servers</fieldForLabel>
<fieldForValue>servers</fieldForValue>
<search>
<query/>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<choice value="ServerEnv1">ServerEnv1</choice>
<choice value="ServerEnv2">ServerEnv2</choice>
<choice value="ServerEnv3">ServerEnv3</choice>
<choice value="ServerEnv4">ServerEnv4</choice>
</input>
<input type="dropdown" token="version" searchWhenChanged="true">
<label>Select Version</label>
<fieldForLabel>field</fieldForLabel>
<fieldForValue>field</fieldForValue>
<search>
<query>| makeresults| eval server="$tokServer$"
| eval field=case(server="ServerEnv1","10.2.3,10.2.4,10.2.5a",server="ServerEnv2","10.2.2",server="ServerEnv3" OR server="ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2")
| makemv delim="," field| mvexpand field
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
</form>
This one is not populating the result.
where should I declare my lookup here since I created the lookup
Based on the sample data provided you can try the following inputs. However, ideally you should create a lookup file for version_servers_mapping.csv
to maintain this kind of mapping and populate the Dynamic Dropdown through inputlookup/lookup commands in Splunk
versions servers
10.2.2 ServerEnv1,ServerEnv3,ServerEnv4
10.2.3 ServerEnv2,ServerEnv3,ServerEnv4
10.2.4 ServerEnv2,ServerEnv3,ServerEnv4
10.2.5a ServerEnv2,ServerEnv3,ServerEnv4
Following is the run anywhere simple XML code for inputs.
<fieldset submitButton="false">
<input type="dropdown" token="tokServer" searchWhenChanged="true">
<label>Select Server</label>
<fieldForLabel>servers</fieldForLabel>
<fieldForValue>servers</fieldForValue>
<search>
<query>| makeresults
| fields - _time
| eval servers="ServerEnv1,ServerEnv2,ServerEnv3,ServerEnv4"
| makemv servers delim=","
| mvexpand servers
| sort servers</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tokVersion" searchWhenChanged="true">
<label>Select Version</label>
<fieldForLabel>versions</fieldForLabel>
<fieldForValue>versions</fieldForValue>
<search>
<query>| makeresults
| eval _raw="versions=\"10.2.2\";server=\"ServerEnv1,ServerEnv3,ServerEnv4\""
| append [| makeresults
| eval _raw="versions=\"10.2.3\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| append [| makeresults
| eval _raw="versions=\"10.2.4\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| append [| makeresults
| eval _raw="versions=\"10.2.5a\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| KV
| fields - _raw, _time
| makemv server delim=","
| mvexpand server
| search server="$tokServer$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>