Dashboards & Visualizations

Dashboard- Help with panel token

uagraw01
Motivator

Hello Splunkers

Below is the screenshot in which i have created one hidden panel in which level_department is the set token I have created. The token $level1$ refererd here which brings the department level related information that all is working fine. 

Screenshot_20220920-083535.jpg

In the below panel after $cat$ when i used to refer $level1_department$ ( the above panel token). That is not working fine. Can someone help me what is the issue in this and what things I need to correct here to refer token $level1_department$ in the below query.

Screenshot_20220920-083649.jpg

 

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Where did you originally have level1_department token in that second panel - it's not there now, so how were you trying to use it?

What 'does not work fine'. What is wrong?

 

0 Karma

uagraw01
Motivator

@bowesmana For now I have removed but it should be after $cat$ token.

0 Karma

uagraw01
Motivator

$level1_department$=$level1_department$ in the second panel.

Here level1_department is carring information of the department like "top management"

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

That statement 

$level1_department$=$level1_department$

is saying, if your token is "Sales Department"

Sales Department=Sales Department

which doesn't seem particular useful. Do you mean you want to search for your level1_department field equal to the token value, if so you would use

search level1_department field=$level1_department field|s$

the use of |s before the final $ is to ensure the string is quoted properly

0 Karma

uagraw01
Motivator

@bowesmana The below workaround for SPL was not worked for me. Can you please check for the attached code at once. As it is very critical for me.

<form>
  <label>SOC Reports Demo 8</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="tok_time" searchWhenChanged="true">
      <label>Time Period</label>
      <default>
        <earliest>-800d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="source" searchWhenChanged="true">
      <label>Report</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index=soc_reports
| rex field=source "\_data\_(?&lt;source&gt;.+)\.csv"
| stats count by source
| fields - count</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
    <input type="dropdown" token="department" searchWhenChanged="true">
      <label>Department</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>user_department</fieldForLabel>
      <fieldForValue>user_department</fieldForValue>
      <search>
        <query>index=soc_reports
|stats count by Department
| rename Department as user_department</query>
        <earliest>-800d@d</earliest>
        <latest>now</latest>
      </search>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
| rex field=source "\_data\_(?&lt;source&gt;.+)\.csv"
| search source=$source$
| rename Department as user_department
| search user_department=$department$
| eval Email=lower(Email)| lookup lookup_admanagers.csv mail AS Email OUTPUT manager, adsharedEmployeeCategory
| search manager=$manager$
|eval adsharedEmployeeCategory=if(adsharedEmployeeCategory="", "unknown", adsharedEmployeeCategory)
| dedup adsharedEmployeeCategory
| stats count by adsharedEmployeeCategory manager
| fields - count,manager</query>
        <earliest>-800d@d</earliest>
        <latest>now</latest>
      </search>
      <initialValue>*</initialValue>
    </input>
    <input type="dropdown" token="level1" searchWhenChanged="true">
      <label>Level 1</label>
      <choice value="*">All</choice>
      <fieldForLabel>level_name</fieldForLabel>
      <fieldForValue>level1_id</fieldForValue>
      <search>
        <query>| inputlookup q_soc_identities_chain.csv
| eval chain_name=split(adsharedReportChain,"|")
| eval chain_id=split(adsharedReportChainID,"|")

| eval level1_id=if(mvcount(chain_id)&gt;=1,mvindex(chain_id,mvcount(chain_id)-1),null) | eval level_name=if(mvcount(chain_name)&gt;=1,mvindex(chain_name,mvcount(chain_name)-1),null)



| eval level_name=ltrim(level_name)

| stats c by level1_id  level_name</query>
        <earliest>0</earliest>
        <latest>1</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="level2" searchWhenChanged="true">
      <label>Level 2</label>
      <choice value="*">All</choice>
      <fieldForLabel>level_name2</fieldForLabel>
      <fieldForValue>level2_id</fieldForValue>
      <search>
        <query>| inputlookup q_soc_identities_chain.csv
| eval chain_name=split(adsharedReportChain,"|")
| eval chain_id=split(adsharedReportChainID,"|")
| eval level1_id=if(mvcount(chain_id)&gt;=1,mvindex(chain_id,mvcount(chain_id)-1),null) | eval level_name=if(mvcount(chain_name)&gt;=1,mvindex(chain_name,mvcount(chain_name)-1),null)
| search level1_id=$level1$
| eval level2_id=if(mvcount(chain_id)&gt;=2,mvindex(chain_id,mvcount(chain_id)-2),null) | eval level_name=if(mvcount(chain_name)&gt;=2,mvindex(chain_name,mvcount(chain_name)-2),null)
| eval level_name2=ltrim(level_name)
| stats c by  level2_id level_name2</query>
        <earliest>-800d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="level3" searchWhenChanged="true">
      <label>Level 3</label>
      <choice value="*">All</choice>
      <fieldForLabel>level3_name</fieldForLabel>
      <fieldForValue>level3_id</fieldForValue>
      <search>
        <query>| inputlookup q_soc_identities_chain.csv
| eval chain_name=split(adsharedReportChain,"|")
| eval chain_id=split(adsharedReportChainID,"|")
| eval level2_id=if(mvcount(chain_id)&gt;=2,mvindex(chain_id,mvcount(chain_id)-2),null) | eval level_name=if(mvcount(chain_name)&gt;=2,mvindex(chain_name,mvcount(chain_name)-2),null)
| search level2_id=$level2$
| eval level3_id=if(mvcount(chain_id)&gt;=3,mvindex(chain_id,mvcount(chain_id)-3),null) | eval level_name=if(mvcount(chain_name)&gt;=3,mvindex(chain_name,mvcount(chain_name)-3),null)
| eval level3_name=ltrim(level_name)
| stats c by  level3_id level3_name</query>
        <earliest>-800d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="level4" searchWhenChanged="true">
      <label>Level 4</label>
      <choice value="*">All</choice>
      <fieldForLabel>level4_name</fieldForLabel>
      <fieldForValue>level4_id</fieldForValue>
      <search>
        <query>| inputlookup q_soc_identities_chain.csv
| eval chain_name=split(adsharedReportChain,"|")
| eval chain_id=split(adsharedReportChainID,"|")
| eval level3_id=if(mvcount(chain_id)&gt;=3,mvindex(chain_id,mvcount(chain_id)-3),null) | eval level_name=if(mvcount(chain_name)&gt;=3,mvindex(chain_name,mvcount(chain_name)-3),null)
| search level3_id=$level3$
| eval level4_id=if(mvcount(chain_id)&gt;=4,mvindex(chain_id,mvcount(chain_id)-4),null) | eval level_name=if(mvcount(chain_name)&gt;=4,mvindex(chain_name,mvcount(chain_name)-4),null)
| eval level4_name=ltrim(level_name)

| stats c by  level4_id level4_name</query>
        <earliest>-800d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="level5" searchWhenChanged="true">
      <label>Level 5</label>
      <choice value="*">All</choice>
      <fieldForLabel>level5_name</fieldForLabel>
      <fieldForValue>level5_id</fieldForValue>
      <search>
        <query>| inputlookup q_soc_identities_chain.csv
| eval chain_name=split(adsharedReportChain,"|")
| eval chain_id=split(adsharedReportChainID,"|")
| eval level4_id=if(mvcount(chain_id)&gt;=4,mvindex(chain_id,mvcount(chain_id)-4),null) | eval level_name=if(mvcount(chain_name)&gt;=4,mvindex(chain_name,mvcount(chain_name)-4),null)
| search level4_id=$level4$
| eval level5_id=if(mvcount(chain_id)&gt;=5,mvindex(chain_id,mvcount(chain_id)-5),null) | eval level_name=if(mvcount(chain_name)&gt;=5,mvindex(chain_name,mvcount(chain_name)-5),null)
| eval level5_name=ltrim(level_name)
| stats c by  level5_id level5_name</query>
        <earliest>-800d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="level6" searchWhenChanged="true">
      <label>Level 6</label>
      <choice value="*">All</choice>
      <fieldForLabel>level6_name</fieldForLabel>
      <fieldForValue>level6_id</fieldForValue>
      <search>
        <query>| inputlookup q_soc_identities_chain.csv
| eval chain_name=split(adsharedReportChain,"|")
| eval chain_id=split(adsharedReportChainID,"|")
| eval level5_id=if(mvcount(chain_id)&gt;=5,mvindex(chain_id,mvcount(chain_id)-5),null) | eval level_name=if(mvcount(chain_name)&gt;=5,mvindex(chain_name,mvcount(chain_name)-5),null)
| search level5_id=$level5$
| eval level6_id=if(mvcount(chain_id)&gt;=6,mvindex(chain_id,mvcount(chain_id)-6),null) | eval level_name=if(mvcount(chain_name)&gt;=6,mvindex(chain_name,mvcount(chain_name)-6),null)
| eval level6_name=ltrim(level_name)

| stats c by  level6_id level6_name</query>
        <earliest>-800d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
<div class="custom-result-value icon-only elevator"> </div>
<h1>
<span/>

<font color="GoldenRod">
            <i>"Review Under Progress"</i> </font>
</h1>
</html>
    </panel>
  </row>
  <row depends="$hidden$">
    <panel>
      <table>
        <search>
          <finalized>
            <set token="level1_department">$result.level1_department$</set>
          </finalized>
          <query>| inputlookup q_soc_identities_chain.csv  WHERE  sAMAccountName=$level1$
| append [| makeresults | eval department=null()]
| eval department = case($level1$="*","*",isnull(department),"*",1=1,'department')
| head 1
| table department</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <finalized>
            <set token="level2_department">$result.department$</set>
          </finalized>
          <query>| inputlookup q_soc_identities_chain.csv  WHERE  sAMAccountName=$level2$
| append [| makeresults | eval department=null()]
| eval department = case($level2$="*","*",isnull(department),"*",1=1,'department')
| head 1
| table department</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <finalized>
            <set token="level3_department">$result.department$</set>
          </finalized>
          <query>| inputlookup q_soc_identities_chain.csv  WHERE  sAMAccountName=$level3$
| append [| makeresults | eval department=null()]
| eval department = case($level3$="*","*",isnull(department),"*",1=1,'department')
| head 1
| table department</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <finalized>
            <set token="level4_department">$result.department$</set>
          </finalized>
          <query>| inputlookup q_soc_identities_chain.csv  WHERE  sAMAccountName=$level4$
| append [| makeresults | eval department=null()]
| eval department = case($level4$="*","*",isnull(department),"*",1=1,'department')
| head 1
| table department</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <finalized>
            <set token="level5_department">$result.department$</set>
          </finalized>
          <query>| inputlookup q_soc_identities_chain.csv  WHERE  sAMAccountName=$level5$
| append [| makeresults | eval department=null()]
| eval department = case($level5$="*","*",isnull(department),"*",1=1,'department')
| head 1
| table department</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <finalized>
            <set token="level6_department">$result.department$</set>
          </finalized>
          <query>| inputlookup q_soc_identities_chain.csv  WHERE  sAMAccountName=$level6$
| append [| makeresults | eval department=null()]

| eval department = case($level6$="*","*",isnull(department),"*",1=1,'department')
| head 1
| table department</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      <table>
        <title>This shows the % of users who failed during the phishing test for each manager. This shows the $head$ worst offenders</title>
        <search>
          <query>index=soc_reports
| rex field=source "\_data\_(?&lt;source&gt;.+)\.csv"
| search source=$source$
| rename Department as user_department
| search user_department=$department$
| eval Email=lower(Email)
| lookup lookup_admanagers.csv mail AS Email OUTPUT manager, adsharedEmployeeCategory
| search manager=$manager$
| search $cat$
| chart count over manager by "Clicked Link"
| eval Yes=if(isnull(Yes), "0", Yes),
    No=if(isnull(No), "0", No),
    Total=Yes+No,
    %Clicked=round((Yes/Total)*100, 0)
| search Total &gt; 0
| stats sum(Yes) as Fail, sum(No) as Pass by manager
| sort Fail desc
| head $head$</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="Fail">
          <colorPalette type="map">{"Fail":#F8BE34}</colorPalette>
        </format>
      </table>
    </panel>
    <panel>
      <title>Managers with Least Failed Users</title>
      <input type="dropdown" token="head2" searchWhenChanged="true">
        <label>Number of Results</label>
        <choice value="10">10</choice>
        <choice value="20">20</choice>
        <choice value="30">30</choice>
        <default>10</default>
      </input>
      <table>
        <title>This shows the % of users who failed during the phishing test for each manager. This excludes managers with less than 10 subordinates.</title>
        <search>
          <query>index=soc_reports | rex field=source "\_data\_(?&lt;source&gt;.+)\.csv"
| search source=$source$
| rename Department as user_department
| search user_department=$department$

| eval Email=lower(Email)
| lookup lookup_admanagers.csv mail AS Email OUTPUT manager, adsharedEmployeeCategory
| search manager=$manager$ | search $cat$
| chart count over manager by "Clicked Link"
| eval Yes=if(isnull(Yes), "0", Yes),
    No=if(isnull(No), "0", No),
    Total=Yes+No,
    %Clicked=round((Yes/Total)*100, 0)
| search Total &gt; 0
| stats sum(Yes) as Fail, sum(No) as Pass by manager
| sort Pass desc
| head $head2$</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="charting.chart">bubble</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=soc_reports | rex field=source "\_data\_(?&lt;source&gt;.+)\.csv"
| search source=$source$
| rename Department as user_department
| search user_department=$department$

| eval Email=lower(Email)
| lookup lookup_admanagers.csv mail AS Email OUTPUT manager, adsharedEmployeeCategory
| search manager=$manager$ | search $cat$
| chart count over manager by "Clicked Link"
| eval Yes=if(isnull(Yes), "0", Yes),
    No=if(isnull(No), "0", No),
    Total=Yes+No,
    Clicked=round((Yes/Total)*100, 0)
| search Total &gt; 0
| stats avg(Clicked) as Failed% sum(No) as Pass sum(Yes) as Fail by manager
| sort Fail desc</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
| rename Department as user_department

| search user_department=$department$
| eval Email=lower(Email)
| lookup lookup_admanagers.csv mail AS Email OUTPUT manager, adsharedEmployeeCategory
| search manager=$manager$ adsharedEmployeeCategory=$cat$
| rex field=source "\_data\_(?&lt;report&gt;.+)\.csv"
|stats count by report
|sort report asc</query>
          <earliest>-800d</earliest>
          <latest>now</latest>
        </search>
        <default>*</default>
      </input>
      <table>
        <title>This shows the number of users under each manager who have clicked a link/entered their password in more than one reporting period.</title>
        <search>
          <query>index=soc_reports | rex field=source "\_data\_(?&lt;source&gt;.+)\.csv"
| search source=$source$
| rename Department as user_department
| search user_department=$department$
| eval Email=lower(Email)
| lookup lookup_admanagers.csv mail AS Email OUTPUT manager, adsharedEmployeeCategory

| search manager=$manager$ | search $cat$

| eval ClickedLink=if('Clicked Link'="Yes","1", "0")
| table Email, manager, ClickedLink
| stats sum(ClickedLink) as totalOffences by Email, manager</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="Total">
          <colorPalette type="list">[#53A051,#F8BE34,#F1813F,#DC4E41]</colorPalette>
          <scale type="threshold">0,30,100</scale>
        </format>
      </table>
    </panel>
  </row>
</form>
0 Karma

bowesmana
SplunkTrust
SplunkTrust

That is 449 lines of XML - I am sorry, but I am not able to validate that all. Please can you let me know what you have tried and what is not working.

There is one obvious problem in that in the <input> for the token

department

 you have a search query after the closing </input> - that's clearly something wrong with the dashboard.

Whenever you have a dashboard panel that does not work, use the magnifying glass to open the search in a new window, so you can then see what the search is doing. 

At that point, you can then post details of what you have tried, what you expect to see as output and then the problem can be more easily resolved.

 

0 Karma

uagraw01
Motivator

@bowesmana Likewise I have to use different departments also 

level1_department=$level1_department$

level2_department=$level2_department$

level3_department=$level3_department$

level4_department=$level4_department$

level5_department=$level5_department$

I need to use these token as well, So as per your suggested solution can i use for the others as well ?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can use as many tokens as you need, but naturally you will have to make sure that the logic between those is appropriate to your use case, i.e. do you need to use OR or AND between those criteria.

Note: Please make sure you use |s as in my earlier example in the token, otherwise it will not match your department

top management

properly

 

0 Karma

uagraw01
Motivator

@bowesmana Yes, let me try and i will let you the status in few hours.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...