Dashboards & Visualizations

Drop down in Search Result

alexspunkshell
Contributor

I want to have drop down in my Dashboard's search result like "New Alert" "In-Progress" "Resolved" in Status field. Please help here.

alexspunkshell_0-1615090424162.png

 

Labels (1)
0 Karma

alexspunkshell
Contributor

@gcusello @ITWhisperer  Thanks for your reply.

 In index=graphsecurityalert I am getting the logs for alerts.

In my dashboard I want a dropdown for the alert's status like "New Alert" "In Progress" "Resolved" "Dismissed".

I need to change the status of the alert upon investigation. Could u please help here.

alexspunkshell_0-1615135777035.png

 

alexspunkshell_1-1615136068029.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @alexspunkshell,

to have the dropdown in each row you have to use JavaScripts.

I cannot help you!

but see my dashboard.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @alexspunkshell,

it's not possible to add a status field to your events to trace the life of the alert, but you could save the results of an alert in a lookup and manually change the status of one of your results using the Lookup Editor.

It's also possible to modify the lookup using a JS or a Splunk Search but it isn't so easy and difficoult to describe in an answer.

this is a dashboard the I used to create a simple Case Manager that you could use as example to manage your Cases:

 

<form>
  <label>Manage New Cases</label>
  <row>
    <panel>
      <table id="master">
        <title>Total New Cases = $server_count$</title>
        <search>
          <query>
            | inputlookup my_cases WHERE Status="Open"
            | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key 
            | table key Time Alert_Name Description Status Notes User_Name TimeStamp
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <progress>
            <set token="server_count">$job.resultCount$</set>
          </progress>
          <cancelled>
            <unset token="server_count"></unset>
          </cancelled>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="key">$row.key$</set>
          <set token="timestamp">$row.TimeStamp$</set>
          <set token="alertname">$row.Alert_Name$</set>
          <set token="description">$row.Description$</set>
          <set token="status">$row.Status$</set>
          <set token="notes">$row.Notes$</set>
          <set token="username">$row.User$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Modify Row</title>
      <input type="dropdown" token="status_to_update">
        <label>Status</label>
        <default>$status$</default>
        <search>
          <query/>
        </search>
        <choice value="Open">Open</choice>
        <choice value="Closed">Closed</choice>
        <choice value="Work-in-progress">Work-in-progress</choice>
        <choice value="Escalation">Escalation</choice>
        <choice value="Stand-By">Stand-By</choice>
      </input>
      <input type="text" token="notes_to_update">
        <label>Add Notes</label>
        <default>$notes$</default>
      </input>
      <table id="detail" depends="$key$">
        <title>Row to modify</title>
        <search>
          <query>
            | makeresults 1
            | eval key="$key$", TimeStamp="$timestamp$", Alert_Name="$alertname$", Description="$description$", Status="Work-in-progress", Notes="$notes_to_update$", Time=strftime($timestamp$,"%d/%m/%Y %H:%M:%S")
            | appendcols [ | rest /services/authentication/current-context | rename username AS User_Name | fields User_Name]
            | table key Time TimeStamp Alert_Name Description Status Notes User_Name
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="status_updated">$row.Status$</set>
          <set token="notes_updated">$row.Notes$</set>
          <set token="username_updated">$row.User_Name$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table id="detail2" depends="$status_to_update$">
        <title>Modified Lookup row</title>
        <search>
          <query>
            | inputlookup my_cases
            | eval 
              Status=if(_key="$key$","$status_updated$",Status),
              Notes=if(_key="$key$","$notes_updated$",Notes),
              User_Name=if(_key="$key$","$username_updated$",User_Name)
            | search _key="$key$"
            | outputlookup my_cases append=true
            | eval key=_key
            | collect addtime=true index=summary_alerts
            | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key
            | table key Time TimeStamp Alert_Name Description Status Notes User_Name
            </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

in few words:

  • I list all the cases to assign,
  • I choose the one to take in charge clicking on a record,
  • I give the values the the fields (account name, staus and notes,
  • I save the given values in the row of the lookup (KV Store).

As I said it isn't so easy!

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

No idea what you are asking for here - there is no Status field in your image and the values you mentioned don't appear either. Where would a dropdown fit into this scenario? What would be the purpose of the dropdown? What have you tried so far?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...