Dashboards & Visualizations

Drop down in Search Result

alexspunkshell
Contributor

I want to have drop down in my Dashboard's search result like "New Alert" "In-Progress" "Resolved" in Status field. Please help here.

alexspunkshell_0-1615090424162.png

 

Labels (1)
0 Karma

alexspunkshell
Contributor

@gcusello @ITWhisperer  Thanks for your reply.

 In index=graphsecurityalert I am getting the logs for alerts.

In my dashboard I want a dropdown for the alert's status like "New Alert" "In Progress" "Resolved" "Dismissed".

I need to change the status of the alert upon investigation. Could u please help here.

alexspunkshell_0-1615135777035.png

 

alexspunkshell_1-1615136068029.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @alexspunkshell,

to have the dropdown in each row you have to use JavaScripts.

I cannot help you!

but see my dashboard.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @alexspunkshell,

it's not possible to add a status field to your events to trace the life of the alert, but you could save the results of an alert in a lookup and manually change the status of one of your results using the Lookup Editor.

It's also possible to modify the lookup using a JS or a Splunk Search but it isn't so easy and difficoult to describe in an answer.

this is a dashboard the I used to create a simple Case Manager that you could use as example to manage your Cases:

 

<form>
  <label>Manage New Cases</label>
  <row>
    <panel>
      <table id="master">
        <title>Total New Cases = $server_count$</title>
        <search>
          <query>
            | inputlookup my_cases WHERE Status="Open"
            | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key 
            | table key Time Alert_Name Description Status Notes User_Name TimeStamp
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <progress>
            <set token="server_count">$job.resultCount$</set>
          </progress>
          <cancelled>
            <unset token="server_count"></unset>
          </cancelled>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="key">$row.key$</set>
          <set token="timestamp">$row.TimeStamp$</set>
          <set token="alertname">$row.Alert_Name$</set>
          <set token="description">$row.Description$</set>
          <set token="status">$row.Status$</set>
          <set token="notes">$row.Notes$</set>
          <set token="username">$row.User$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Modify Row</title>
      <input type="dropdown" token="status_to_update">
        <label>Status</label>
        <default>$status$</default>
        <search>
          <query/>
        </search>
        <choice value="Open">Open</choice>
        <choice value="Closed">Closed</choice>
        <choice value="Work-in-progress">Work-in-progress</choice>
        <choice value="Escalation">Escalation</choice>
        <choice value="Stand-By">Stand-By</choice>
      </input>
      <input type="text" token="notes_to_update">
        <label>Add Notes</label>
        <default>$notes$</default>
      </input>
      <table id="detail" depends="$key$">
        <title>Row to modify</title>
        <search>
          <query>
            | makeresults 1
            | eval key="$key$", TimeStamp="$timestamp$", Alert_Name="$alertname$", Description="$description$", Status="Work-in-progress", Notes="$notes_to_update$", Time=strftime($timestamp$,"%d/%m/%Y %H:%M:%S")
            | appendcols [ | rest /services/authentication/current-context | rename username AS User_Name | fields User_Name]
            | table key Time TimeStamp Alert_Name Description Status Notes User_Name
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="status_updated">$row.Status$</set>
          <set token="notes_updated">$row.Notes$</set>
          <set token="username_updated">$row.User_Name$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table id="detail2" depends="$status_to_update$">
        <title>Modified Lookup row</title>
        <search>
          <query>
            | inputlookup my_cases
            | eval 
              Status=if(_key="$key$","$status_updated$",Status),
              Notes=if(_key="$key$","$notes_updated$",Notes),
              User_Name=if(_key="$key$","$username_updated$",User_Name)
            | search _key="$key$"
            | outputlookup my_cases append=true
            | eval key=_key
            | collect addtime=true index=summary_alerts
            | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key
            | table key Time TimeStamp Alert_Name Description Status Notes User_Name
            </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

in few words:

  • I list all the cases to assign,
  • I choose the one to take in charge clicking on a record,
  • I give the values the the fields (account name, staus and notes,
  • I save the given values in the row of the lookup (KV Store).

As I said it isn't so easy!

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

No idea what you are asking for here - there is no Status field in your image and the values you mentioned don't appear either. Where would a dropdown fit into this scenario? What would be the purpose of the dropdown? What have you tried so far?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...