All Apps and Add-ons

Unable to match the 2 dropdownlist using XML and create a report for the following for PCI DSS

atulod1
New Member

Hi Team,

I created a customized dashboard for my PCI DSS for number 10 requirements.
I have a 2 Drop-down list ( one is for our Server Environment) (one for PCI Requirements 10)
1. On the first Drop-down list - here are the option that I created (ServerEnv1, ServerEnv2, ServerEnv3, ServerEnv4)
2. On the 2nd Drop downlist - (10.2.2, 10.2.3, 10.2.4 , 10.2.5a, 10.2.5b, 10.2.5c)
3. if I choose the on the first drop-down list "ServerEnv1" on the 2nd dropdown list will reflect "10.2.3, 10.2.4 and 10.2.5a) and if choose "ServerEnv2" on the 2nd drop-down list will be "10.2.2" only , then ServerEnv3, ServerEv4 all list on the 2nd drop-down list will be reflected. Hoping you can help me how to construct using XML Command. -- Thanks in Advance --ALLAN

0 Karma

atulod1
New Member

how can i add the lookup that i created per example version_servers_mapping.csv where do i assign this

0 Karma

TISKAR
Builder
0 Karma

TISKAR
Builder

Response with lookup,

in settings>lookups add lookup file

For example i create the csv file version_servers_mapping.csv with content

"servers","versions"
 "ServerEnv1","10.2.3,10.2.4,10.2.5a"
 "ServerEnv2","10.2.2"
 "ServerEnv3","10.2.3,10.2.4,10.2.5a,10.2.2"
 "ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2"

And, i used it in the dashboard like:

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokServer" searchWhenChanged="true">
      <label>Select Server</label>
      <fieldForLabel>servers</fieldForLabel>
      <fieldForValue>servers</fieldForValue>
      <search>
        <query>
          | inputlookup version_servers_mapping.csv | table servers
        </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>

    </input>
    <input type="dropdown" token="version" searchWhenChanged="true">
      <label>Select Version</label>
      <fieldForLabel>versions</fieldForLabel>
      <fieldForValue>versions</fieldForValue>
      <search>
        <query>| inputlookup version_servers_mapping.csv |search servers="$tokServer$"
               | makemv delim="," versions| mvexpand versions
        </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>

    </input>
  </fieldset>
</form>
0 Karma

atulod1
New Member

it doesnt work either

0 Karma

TISKAR
Builder

if you run | inputlookup version_servers_mapping.csv can you share the result of this query

0 Karma

atulod1
New Member

when I type this on the excel sheet this kind of format
"servers","versions"
"ServerEnv1","10.2.3,10.2.4,10.2.5a"
"ServerEnv2","10.2.2"
"ServerEnv3","10.2.3,10.2.4,10.2.5a,10.2.2"
"ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2"
and when I run the query on the search using |inputlookup version_servers_mapping.csv there was an error message.

0 Karma

TISKAR
Builder

if the file not exist you must find "Not result find" and not error.
are create a file .text and change it to csv for example
version_servers_mapping.txt --> version_servers_mapping.csv

0 Karma

atulod1
New Member

it doesn't work either both

0 Karma

TISKAR
Builder

@atulod1, can you try this please,

 <form>
      <label>test</label>
      <fieldset submitButton="false">
        <input type="dropdown" token="tokServer" searchWhenChanged="true">
          <label>Select Server</label>
          <fieldForLabel>servers</fieldForLabel>
          <fieldForValue>servers</fieldForValue>
          <search>
            <query/>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </search>
          <choice value="ServerEnv1">ServerEnv1</choice>
          <choice value="ServerEnv2">ServerEnv2</choice>
          <choice value="ServerEnv3">ServerEnv3</choice>
          <choice value="ServerEnv4">ServerEnv4</choice>
        </input>
        <input type="dropdown" token="version" searchWhenChanged="true">
          <label>Select Version</label>
          <fieldForLabel>field</fieldForLabel>
          <fieldForValue>field</fieldForValue>
          <search>
            <query>| makeresults| eval server="$tokServer$"
                   | eval field=case(server="ServerEnv1","10.2.3,10.2.4,10.2.5a",server="ServerEnv2","10.2.2",server="ServerEnv3" OR server="ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2")
                   | makemv delim="," field| mvexpand field
            </query>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </search>

        </input>
      </fieldset>
    </form>
0 Karma

atulod1
New Member

This one is not populating the result.

0 Karma

atulod1
New Member

where should I declare my lookup here since I created the lookup

0 Karma

niketn
Legend

Based on the sample data provided you can try the following inputs. However, ideally you should create a lookup file for version_servers_mapping.csv to maintain this kind of mapping and populate the Dynamic Dropdown through inputlookup/lookup commands in Splunk

versions         servers
10.2.2           ServerEnv1,ServerEnv3,ServerEnv4
10.2.3           ServerEnv2,ServerEnv3,ServerEnv4
10.2.4           ServerEnv2,ServerEnv3,ServerEnv4
10.2.5a          ServerEnv2,ServerEnv3,ServerEnv4

Following is the run anywhere simple XML code for inputs.

  <fieldset submitButton="false">
    <input type="dropdown" token="tokServer" searchWhenChanged="true">
      <label>Select Server</label>
      <fieldForLabel>servers</fieldForLabel>
      <fieldForValue>servers</fieldForValue>
      <search>
        <query>| makeresults
| fields - _time
| eval servers="ServerEnv1,ServerEnv2,ServerEnv3,ServerEnv4"
| makemv servers delim=","
| mvexpand servers
| sort servers</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="tokVersion" searchWhenChanged="true">
      <label>Select Version</label>
      <fieldForLabel>versions</fieldForLabel>
      <fieldForValue>versions</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="versions=\"10.2.2\";server=\"ServerEnv1,ServerEnv3,ServerEnv4\""
| append [| makeresults
| eval _raw="versions=\"10.2.3\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| append [| makeresults
| eval _raw="versions=\"10.2.4\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| append [| makeresults
| eval _raw="versions=\"10.2.5a\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| KV
| fields - _raw, _time
| makemv server delim=","
| mvexpand server
| search server="$tokServer$"</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...