Dashboards & Visualizations
Highlighted

How can I build a dashboard that passes a text input and dropdown input for the data type into a search?

Contributor

I'm trying to build a dashboard where an analyst can have a single text input and have a dropdown for the data type and pass the combined information to the search. Unfortunately, it's not working.

Token Logic:
User inputs 127.0.0.1 into $token1$. Then selects "IP" label in the dropdown, which contains the logic (src=$token1$ OR dest=$token1$) and is labeled $token2$. Search, for now, is simply index=firewalls $token2$.

Problem Description:
What we expect to land in the panel is "index=firewalls (src=127.0.0.1 OR dest=127.0.0.1). What we are seeing, when "open in search" is utilized, is "index=firewalls (src=$token1$ OR dest=$token1$)".

When we get the logic for the inputs right we plan on converting this to a datamodel search, but for now we just need to figure out how to pass information inputted into one input to another.

Reason why we're building this:
This is a version1 just to get analysts going and be able to modularize a lot of their workflow that is currently a bunch of hand jamming searches every time they want to do something, so we get searches that are just an IP over all time. We're building this into ES to start to move analysts over to that, but this is the short term need, as they view IP lookup as "difficult".

Edit: SimpleXML of dashboard attached

<form>
  <label>Test Searching</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="token1" searchWhenChanged="true">
      <label>IOC for Search</label>
    </input>
    <input type="dropdown" token="token2">
      <label>Field to Search</label>
      <choice value="&quot;$token1$&quot;">IP</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>Search Events</title>
        <search>
          <query>index="firewalls" $token2$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>
0 Karma
Highlighted

Re: How can I build a dashboard that passes a text input and dropdown input for the data type into a search?

Champion

I think I know the issue, but you probably need to share your SimpleXML so that we can see all that you need to do.

It sounds like the issue is you are including the token $token1$ directly in the choice or option string of the dropdown (token $token2). This is a no-no. It will never work the way you want. You will likely have to write some <condition> elements or more complex search patterns, but the solution depends on what else you are trying to do. So, please share more of your SimpleXML.

0 Karma
Highlighted

Re: How can I build a dashboard that passes a text input and dropdown input for the data type into a search?

Motivator

try this,

<form>
<label>ddDashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="token1" searchWhenChanged="true">
<label>Input IP</label>
</input>
<input type="dropdown" token="token2" searchWhenChanged="true">
<label>Select IP</label>
<search>
<query>index=internal (src="$token1$" OR dest="$token1$") | fields dest | table dest src</query>
</search>
<fieldForLabel>src
dest</fieldForLabel>
<fieldForValue>srcdest</fieldForValue>
<prefix>(</prefix>
<valuePrefix>src="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<suffix> OR dest=$token1$) </suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=
internal $token2$</query>
<earliest>0</earliest>
<latest></latest>
</search>
</table>
</panel>
</row>
</form>

0 Karma
Highlighted

Re: How can I build a dashboard that passes a text input and dropdown input for the data type into a search?

Contributor

I figured out a solution:

    <input type="dropdown" token="IOC_fields" searchWhenChanged="true">
      <label>Field to Search</label>
      <fieldForLabel>token_type</fieldForLabel>
      <fieldForValue>search_param</fieldForValue>
      <search>
        <query>| makeresults | eval token="$IOC$" | eval token_type=if(match(token, "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"), "IP", "URL") | eval search_param=if(match(token, "IP"), "src=".token, "url=".token) | table token, token_type, search_param</query>
      </search>
    </input>

It will take the token IOC, qualify it as an IP, or URL, and then will use concatenate to form correct search language with the token.

View solution in original post