Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Extracting Data is not displaying on panel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting Data is not displaying on panel
Hi Everyone,
I have one requirement
I have one Dashboard which consists of two panels Request Types and Users
Query for Request_Type Panel
index=abc sourcetype=xyz source="user.log" process-groups |rex "\)\s+(?<Request_Type>[^ ]+)"|chart count(Request_Type) as "Request- Types" by Request_Type |search $req$
Query for Users Panel
index=abc sourcetype=xyz source="user.log" process-groups | rex "\<(?<Request_User>\w+)\>\<"|chart count(Request_User) as "Users" by Request_User|search $usr$
I have two dropdowns also in the same Dashboard for Request_Type and Users
Query for Request_Type dropdown
<input type="multiselect" token="req" searchWhenChanged="true">
<label>Request Type</label>
<choice value="*">All Request_Type</choice>
<search>
<query>index=abc sourcetype=xyz source="user.log" process-groups | rex "\)\s+(?<Request_Type>[^ ]+)"|stats count by Request_Type </query>
<earliest>-60d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>Request_Type</fieldForLabel>
<fieldForValue>Request_Type</fieldForValue>
<prefix>(</prefix>
<valuePrefix>Request_Type ="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
<initialValue>*</initialValue>
<default>*</default>
</input>
Query for User dropdown
<input type="multiselect" token="usr" searchWhenChanged="true">
<label>NiFi_Users</label>
<choice value="*">All Users</choice>
<search>
<query>index=abc sourcetype=xyz source="user.log" process-groups | rex "\<(?<Request_User>\w+)\>\<"|stats count by Request_User</query>
<earliest>-60d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>Request_User</fieldForLabel>
<fieldForValue>Request_User</fieldForValue>
<prefix>(</prefix>
<valuePrefix>Request_User ="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
<initialValue>*</initialValue>
<default>*</default>
</input>
The issue I am facing is when I am selecting "PUT" from Request type dropdown then I am getting correct data Iin Request_Type panel but not in User panel.
But in user panel all the users are coming. I want only the "users" that are associated with "PUT" If I select "PUT" from the Request_Type drop down. If I select "GET" then all the users associated with "GET "should come.
Since I have extracted "Request_type" field the "req" token is not working properly in Users panel.
Query for Users Panel
index=abc sourcetype=xyz source="user.log" process-groups | rex "\<(?<Request_User>\w+)\>\<"|chart count(Request_User) as "Users" by Request_User|search $usr$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to add the request type filter in your user panel search as well
Try changing the user panel search to
index=abc sourcetype=xyz source="user.log" process-groups
| rex "\)\s+(?<Request_Type>[^ ]+)"
| rex "\<(?<Request_User>\w+)\>\<"
| search $req$ $usr$
| chart count(Request_User) as "Users" by Request_UserWhat goes around comes around. If it helps, hit it with Karma 🙂
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
