Dashboards & Visualizations

Dynamic user field dropdown in dashboard

carlyleadmin
Contributor

Hi,

i do have a simple dashboard with 1 time 2 dropdown panels.i will also attach my source code so i hope that helps. i am looking into iis log files and looking into cs_referer field a;ong with cs_username and using eval i am creating an Time field where it hows the time_taken for that page and corresponding user.

what i am tyring to achieve is that i want to populate users dynamically for each environment i have.what i have setup so far is environment field user field and condition field which is basically giving me option to select low high medium etc(low =0 -50 sec,high 60=300 secs etc)these fields are all static which i have populated.how can i achieve this?

i think the user dropdown will be dependent on the environment dropdown so when i select qa or prod it will only bring users(AD AUTHENTICATED) for those environments.or,is it possible to get all the users for each environment in csv and create a lookup?i've never done that so not sure how that would work.

i am just looking for ideas on how to achieve this if its possible

Thanksalt text

Here is my source code
alt text

Tags (1)
0 Karma
1 Solution

aholzer
Motivator

You can set your field to be filled in dynamically using a search. If you are editing the page via GUI (not directly through source manipulation) you can scroll all the way to the bottom of the "input parameter" you've defined and there is a section where you define the search you want to run (under Dynamic options). If you want a list of users, you can define your search as <base_search>| stats by user then define your Field For Label and Value as "user".

If you are editing the source directly it'll look something like this:

<input type="multiselect" token="user" searchWhenChanged="false">
      <choice value="*">All</choice>
      <search>
        <query> <your_base_search> | stats by user</query>
        <earliest>@d</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <initialValue>*</initialValue>
      <valuePrefix>user=</valuePrefix>
      <delimiter> OR </delimiter>
    </input>

If you want to only get users that relate to your environment, then you can set the token that is defined in your environment input parameter as part of your dynamic search in your user field. Example:

<input type="multiselect" token="user" searchWhenChanged="false">
          <choice value="*">All</choice>
          <search>
            <query> <your_base_search> $<environment_token_name>$ | stats by user</query>
            <earliest>@d</earliest>
            <latest>now</latest>
          </search>
          <fieldForLabel>user</fieldForLabel>
          <fieldForValue>user</fieldForValue>
          <initialValue>*</initialValue>
          <valuePrefix>user=</valuePrefix>
          <delimiter> OR </delimiter>
        </input>

This will limit the results of your user dropdown/multiselect to only those users that are found in that particular environment.

Hope this helps

View solution in original post

0 Karma

aholzer
Motivator

You can set your field to be filled in dynamically using a search. If you are editing the page via GUI (not directly through source manipulation) you can scroll all the way to the bottom of the "input parameter" you've defined and there is a section where you define the search you want to run (under Dynamic options). If you want a list of users, you can define your search as <base_search>| stats by user then define your Field For Label and Value as "user".

If you are editing the source directly it'll look something like this:

<input type="multiselect" token="user" searchWhenChanged="false">
      <choice value="*">All</choice>
      <search>
        <query> <your_base_search> | stats by user</query>
        <earliest>@d</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <initialValue>*</initialValue>
      <valuePrefix>user=</valuePrefix>
      <delimiter> OR </delimiter>
    </input>

If you want to only get users that relate to your environment, then you can set the token that is defined in your environment input parameter as part of your dynamic search in your user field. Example:

<input type="multiselect" token="user" searchWhenChanged="false">
          <choice value="*">All</choice>
          <search>
            <query> <your_base_search> $<environment_token_name>$ | stats by user</query>
            <earliest>@d</earliest>
            <latest>now</latest>
          </search>
          <fieldForLabel>user</fieldForLabel>
          <fieldForValue>user</fieldForValue>
          <initialValue>*</initialValue>
          <valuePrefix>user=</valuePrefix>
          <delimiter> OR </delimiter>
        </input>

This will limit the results of your user dropdown/multiselect to only those users that are found in that particular environment.

Hope this helps

0 Karma

carlyleadmin
Contributor

Aholzer thank you for your response this was very helpful.

i just wanted to add couple comments related to my environment and how i made this mechanism to get it to work ,so if someone out there is reading it, might benefit from these inputs.first of all ,i am a kind of person who needs an example when it comes to understanding a solution like the one above.need to dumb it down:)

so for my base search query i used $Environment$(which is my token for environment dropdown) sourcetype=iis |stats by cs_username(since that is the field in my logs and not the "user" as you mentioned in your example,so that is a unique field to everyone's environment)
so the final query i used in dynamic field was
$Environment$ sourcetype=iis |stats by cs_username|dedup cs_username

for the field value and label i again used "cs_username" which is the username field in my logs and not the "user" like you mentioned in your example.

i hope this helps understand people like me on how to use dynamic fields.

Aholzer once again thank you for your help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...