Dashboards & Visualizations

Drop down in Search Result

alexspunkshell
Contributor

I want to have drop down in my Dashboard's search result like "New Alert" "In-Progress" "Resolved" in Status field. Please help here.

alexspunkshell_0-1615090424162.png

 

Labels (1)
0 Karma

alexspunkshell
Contributor

@gcusello @ITWhisperer  Thanks for your reply.

 In index=graphsecurityalert I am getting the logs for alerts.

In my dashboard I want a dropdown for the alert's status like "New Alert" "In Progress" "Resolved" "Dismissed".

I need to change the status of the alert upon investigation. Could u please help here.

alexspunkshell_0-1615135777035.png

 

alexspunkshell_1-1615136068029.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @alexspunkshell,

to have the dropdown in each row you have to use JavaScripts.

I cannot help you!

but see my dashboard.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @alexspunkshell,

it's not possible to add a status field to your events to trace the life of the alert, but you could save the results of an alert in a lookup and manually change the status of one of your results using the Lookup Editor.

It's also possible to modify the lookup using a JS or a Splunk Search but it isn't so easy and difficoult to describe in an answer.

this is a dashboard the I used to create a simple Case Manager that you could use as example to manage your Cases:

 

<form>
  <label>Manage New Cases</label>
  <row>
    <panel>
      <table id="master">
        <title>Total New Cases = $server_count$</title>
        <search>
          <query>
            | inputlookup my_cases WHERE Status="Open"
            | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key 
            | table key Time Alert_Name Description Status Notes User_Name TimeStamp
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <progress>
            <set token="server_count">$job.resultCount$</set>
          </progress>
          <cancelled>
            <unset token="server_count"></unset>
          </cancelled>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="key">$row.key$</set>
          <set token="timestamp">$row.TimeStamp$</set>
          <set token="alertname">$row.Alert_Name$</set>
          <set token="description">$row.Description$</set>
          <set token="status">$row.Status$</set>
          <set token="notes">$row.Notes$</set>
          <set token="username">$row.User$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Modify Row</title>
      <input type="dropdown" token="status_to_update">
        <label>Status</label>
        <default>$status$</default>
        <search>
          <query/>
        </search>
        <choice value="Open">Open</choice>
        <choice value="Closed">Closed</choice>
        <choice value="Work-in-progress">Work-in-progress</choice>
        <choice value="Escalation">Escalation</choice>
        <choice value="Stand-By">Stand-By</choice>
      </input>
      <input type="text" token="notes_to_update">
        <label>Add Notes</label>
        <default>$notes$</default>
      </input>
      <table id="detail" depends="$key$">
        <title>Row to modify</title>
        <search>
          <query>
            | makeresults 1
            | eval key="$key$", TimeStamp="$timestamp$", Alert_Name="$alertname$", Description="$description$", Status="Work-in-progress", Notes="$notes_to_update$", Time=strftime($timestamp$,"%d/%m/%Y %H:%M:%S")
            | appendcols [ | rest /services/authentication/current-context | rename username AS User_Name | fields User_Name]
            | table key Time TimeStamp Alert_Name Description Status Notes User_Name
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="status_updated">$row.Status$</set>
          <set token="notes_updated">$row.Notes$</set>
          <set token="username_updated">$row.User_Name$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table id="detail2" depends="$status_to_update$">
        <title>Modified Lookup row</title>
        <search>
          <query>
            | inputlookup my_cases
            | eval 
              Status=if(_key="$key$","$status_updated$",Status),
              Notes=if(_key="$key$","$notes_updated$",Notes),
              User_Name=if(_key="$key$","$username_updated$",User_Name)
            | search _key="$key$"
            | outputlookup my_cases append=true
            | eval key=_key
            | collect addtime=true index=summary_alerts
            | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key
            | table key Time TimeStamp Alert_Name Description Status Notes User_Name
            </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <fields>_key, Time, Alert_Name, Description, Status, Notes, User_Name</fields>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

in few words:

  • I list all the cases to assign,
  • I choose the one to take in charge clicking on a record,
  • I give the values the the fields (account name, staus and notes,
  • I save the given values in the row of the lookup (KV Store).

As I said it isn't so easy!

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

No idea what you are asking for here - there is no Status field in your image and the values you mentioned don't appear either. Where would a dropdown fit into this scenario? What would be the purpose of the dropdown? What have you tried so far?

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...