Dashboards & Visualizations

How can I build a dashboard that passes a text input and dropdown input for the data type into a search?

ltrand
Contributor

I'm trying to build a dashboard where an analyst can have a single text input and have a dropdown for the data type and pass the combined information to the search. Unfortunately, it's not working.

Token Logic:
User inputs 127.0.0.1 into $token1$. Then selects "IP" label in the dropdown, which contains the logic (src=$token1$ OR dest=$token1$) and is labeled $token2$. Search, for now, is simply index=firewalls $token2$.

Problem Description:
What we expect to land in the panel is "index=firewalls (src=127.0.0.1 OR dest=127.0.0.1). What we are seeing, when "open in search" is utilized, is "index=firewalls (src=$token1$ OR dest=$token1$)".

When we get the logic for the inputs right we plan on converting this to a datamodel search, but for now we just need to figure out how to pass information inputted into one input to another.

Reason why we're building this:
This is a version1 just to get analysts going and be able to modularize a lot of their workflow that is currently a bunch of hand jamming searches every time they want to do something, so we get searches that are just an IP over all time. We're building this into ES to start to move analysts over to that, but this is the short term need, as they view IP lookup as "difficult".

Edit: SimpleXML of dashboard attached

<form>
  <label>Test Searching</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="token1" searchWhenChanged="true">
      <label>IOC for Search</label>
    </input>
    <input type="dropdown" token="token2">
      <label>Field to Search</label>
      <choice value="&quot;$token1$&quot;">IP</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>Search Events</title>
        <search>
          <query>index="firewalls" $token2$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>
0 Karma
1 Solution

ltrand
Contributor

I figured out a solution:

    <input type="dropdown" token="IOC_fields" searchWhenChanged="true">
      <label>Field to Search</label>
      <fieldForLabel>token_type</fieldForLabel>
      <fieldForValue>search_param</fieldForValue>
      <search>
        <query>| makeresults | eval token="$IOC$" | eval token_type=if(match(token, "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"), "IP", "URL") | eval search_param=if(match(token, "IP"), "src=".token, "url=".token) | table token, token_type, search_param</query>
      </search>
    </input>

It will take the token IOC, qualify it as an IP, or URL, and then will use concatenate to form correct search language with the token.

View solution in original post

ltrand
Contributor

I figured out a solution:

    <input type="dropdown" token="IOC_fields" searchWhenChanged="true">
      <label>Field to Search</label>
      <fieldForLabel>token_type</fieldForLabel>
      <fieldForValue>search_param</fieldForValue>
      <search>
        <query>| makeresults | eval token="$IOC$" | eval token_type=if(match(token, "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"), "IP", "URL") | eval search_param=if(match(token, "IP"), "src=".token, "url=".token) | table token, token_type, search_param</query>
      </search>
    </input>

It will take the token IOC, qualify it as an IP, or URL, and then will use concatenate to form correct search language with the token.

sbbadri
Motivator

try this,

<form>
<label>ddDashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="token1" searchWhenChanged="true">
<label>Input IP</label>
</input>
<input type="dropdown" token="token2" searchWhenChanged="true">
<label>Select IP</label>
<search>
<query>index=_internal (src="$token1$" OR dest="$token1$") | fields dest | table dest src</query>
</search>
<fieldForLabel>src_dest</fieldForLabel>
<fieldForValue>src_dest</fieldForValue>
<prefix>(</prefix>
<valuePrefix>src="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<suffix> OR dest=$token1$) </suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal $token2$</query>
<earliest>0</earliest>
<latest></latest>
</search>
</table>
</panel>
</row>
</form>

0 Karma

rjthibod
Champion

I think I know the issue, but you probably need to share your SimpleXML so that we can see all that you need to do.

It sounds like the issue is you are including the token $token1$ directly in the choice or option string of the dropdown (token $token2). This is a no-no. It will never work the way you want. You will likely have to write some <condition> elements or more complex search patterns, but the solution depends on what else you are trying to do. So, please share more of your SimpleXML.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...