Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change search depending on dropdown

chrispounds
Explorer
‎04-25-2019 08:11 AM

Hi peeps,

I'd like to add a dropdown to my dashboard panel, which populates with "src" for the user to select, then based on what "src" is selected, it changes the panels below it. How easy is this to achieve? I've attached my current XML, in case this helps anyone understand what i'd like to achieve!

I've tried playing with the dropdown input in the UI, but i can't seem to get my head around what to put in what boxes!

Many thanks,
Chris

<form theme="dark">
  <label>Humbert root Logins</label>
  <description>Track Root logins on humbert.ex.ac.uk</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
<panel>
  <title>Root Logins</title>
  <single>
    <search>
      <query>index=osnixsec src=humber.ex.ac.uk user=root AND action=failure 
| stats count</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
      <refresh>5m</refresh>
      <refreshType>delay</refreshType>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="drilldown">all</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">["0x53a051","0x006d9c","0xf8be34","0xdc4e41"]</option>
    <option name="rangeValues">[0,30,50]</option>
    <option name="refresh.display">progressbar</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="underLabel">Number of attempted logins</option>
    <option name="unitPosition">after</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
  </single>
</panel>
</row>
<row>
<panel>
  <title>Destination Root attempts from Humbert</title>
  <table>
    <search>
      <query>index=osnixsec src=humbert.ex.ac.uk user=root AND action=failure  
  | stats count by dest 
  | sort -count 
  | rename dest as "Destination Host"</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
      <refresh>5m</refresh>
      <refreshType>delay</refreshType>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-25-2019 07:14 PM

Use the code below to understand how to "tokenize" the source field
for your code, replace the search which generates the tokens with index=osnixsec src=* | stats count by src | table src

<form>
  <label>Dropdown Source</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="SRC">
      <label>Chhose Source</label>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index= _internal source=* 
| stats count by source
| table source</query>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">ALL</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index = _internal source=$SRC$ | stats count by source</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <chart>
        <title>Over Time</title>
        <search>
          <query>index=_internal source="$SRC$" | timechart count by source</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>

hope it helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-25-2019 07:14 PM

Use the code below to understand how to "tokenize" the source field
for your code, replace the search which generates the tokens with index=osnixsec src=* | stats count by src | table src

<form>
  <label>Dropdown Source</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="SRC">
      <label>Chhose Source</label>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index= _internal source=* 
| stats count by source
| table source</query>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">ALL</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index = _internal source=$SRC$ | stats count by source</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <chart>
        <title>Over Time</title>
        <search>
          <query>index=_internal source="$SRC$" | timechart count by source</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>

hope it helps

0 Karma
Reply
Solved! Jump to solution

chrispounds
Explorer
‎04-26-2019 02:24 AM

Hi adonio,

Thank you - so i implemented that into a test dashboard and changed the query's to match mine. But when i select the dropdown, all i get is the ALL value, not a list of available "src" values, do i need to adjust the choice value tag also?

Many thanks for your help!

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-26-2019 04:48 AM 
<label>Dropdown Source</label>
   <fieldset submitButton="false">
     <input type="dropdown" token="SRC">
       <label>Chhose Source</label>
       <fieldForLabel>src</fieldForLabel>
       <fieldForValue>src</fieldForValue>
       <search>
         <query>index= index=osnixsec src=* | stats count by src | table src</query>
         <earliest>-4h@m</earliest>
         <latest>now</latest>
       </search>
       <choice value="*">ALL</choice>
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
   </fieldset>
0 Karma
Reply
Solved! Jump to solution

chrispounds
Explorer
‎04-26-2019 05:41 AM

thanks adonio for your assistance, this doesn't actually give me a list in the dropdown. All it contains is "ALL" in capitals and doesn't list available src's to select. The queries run ok, but the dropdown isn't populating with the results from "src"

Many thanks,

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-26-2019 05:45 AM

i see the problem
look at the query i put - it has index= index=osnixsec src=*
itll break your search
remove the first index=

so you will only have:

<query>index=osnixsec src=* | stats count by src | table src</query>

0 Karma
Reply
Solved! Jump to solution

chrispounds
Explorer
‎04-26-2019 05:53 AM

Yes that got it! fantastic adonio thank you! I should of proof read it also, lesson learnt! 😄

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...