Authorized_List
This Dashboard presents List of Assets with number of Authorized and Unauthorized files
<panel>
<title>Number of Authorized And Unauthorized Files by Assets</title>
<chart>
<title>Authorized_Files</title>
<search ref="Authorized_Files"></search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<input type="dropdown" token="host_tok">
<label>HostName</label>
<search>
<query>index=bigfix sourcetype=software | table HostName</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>HostName</fieldForLabel>
<fieldForValue>HostName</fieldForValue>
</input>
<input type="dropdown" token="auth_tok">
<label>Authorized/Unauthorized</label>
<search>
<query>index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |table Hashes_allow_or_deny</query>
</search>
<fieldForLabel>Hashes_allow_or_deny</fieldForLabel>
<fieldForValue>Hashes_allow_or_deny</fieldForValue>
</input>
<table>
<title>Input selections:$host_tok$,$auth_tok$</title>
<search>
<query>index=bigfix sourcetype=software |stats values(fileName) by HostName | where HostName=$host_tok$ </query>
<earliest>0</earliest>
</search>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="drilldown">row</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
Or just add a dedup <<name of the column>>
before the table
command in the query for each dropdown
Try to change the two of the drop down search query and avoid the duplicates,
Drop down 1:
Original index=bigfix sourcetype=software | table HostName
new index=bigfix sourcetype=software | stats count by HostName
Drop down 2:
original: index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |table Hashes_allow_or_deny
New: index=bigfix sourcetype=software | eval Hashes_allow_or_deny = if((sha256_allow_or_deny=="*deny*") OR (md5_allow_or_deny=="*deny*") OR (isnull(sha256_allow_or_deny) AND isnull(md5_allow_or_deny)),"Unauthorized","Authorized") |stats count by Hashes_allow_or_deny
Note: Only change is in the table command. Instead of table used stats count by