Dashboards & Visualizations

How do I use a whole new query search for when one of the dropdown options are selected in my Splunk dashboard? (without tokens)

ARU152
Engager

For the first dropdown Panel I use $Type$ as a token, and I am able to use the "All" option. However, I have a second dropdown panel in my Splunk dashboard with options as well as "All". But the result of All should be all the dropdown options in it added together since there are values. However, I cannot use the wildcard symbol because the other dropdown selections uses the stats latest function, so using the wild card "All" will only take the "latest" instead of adding all the other dropdown values. So I have a new query that I would like to use for this one dropdown option. How do I implement that new query search for only when "All" is selected? Do I have to add a change tag in the Splunk xml for that option?

This is the query I want for whenever one of the options is chosen:

host=hostname sourcetype=syslog index=os_nix PMM_Status_Report| rex "(?P{.*})" | spath input=json_data path=json_path | mvexpand json_path | stats latest(Before_Today) as "Already Patched" by server_prefix, PatchActivityTitle, BusinessUnit |eval is_match=case(match("'$Type$'", "(?i)linux"), "linux", match("'$Type$'", "(?i)windows"), "windows", match("'$Type$'", "(?i)all"), "") |eval case = lower(PatchActivityTitle) | eval prefix=case(match("'$server_prefix2$'", "(?i)prdtx"), "prdtx", match("'$server_prefix2$'","(?i)prdjc"), "prdjc", match("'$server_prefix$'", "(?i)prded"), "prded", match("'$server_prefix$'", "(?i)all"), "")| table server_prefix, PatchActivityTitle, BusinessUnit, "Already Patched", is_match, case, prefix | where LIKE(server_prefix, "%".prefix."%") and LIKE(case,"%".is_match."%")| replace "'*'" WITH "*" | xyseries PatchActivityTitle, BusinessUnit, "Already Patched" | fillnull value=0

This is the query I want to show when the "ALL" option is chosen from the dropdown:

host=hostname sourcetype=syslog index=os_nix PMM_Status_Report| rex "(?P{.*})" | spath input=json_data path=json_path | mvexpand json_path | stats latest(Before_Today) as "Already Patched" by server_prefix, PatchActivityTitle, BusinessUnit | eval is_match=case(match("'$PatchActivityType$'", "(?i)linux"), "linux", match("'$PatchActivityType$'", "(?i)windows"), "windows") | eval case = lower(PatchActivityTitle)  | stats sum("Already Patched") as "Patched" by PatchActivityTitle, BusinessUnit, is_match, case
|  table PatchActivityTitle, BusinessUnit, "Patched", is_match, case|  where LIKE(case, "%".is_match."%")
|  xyseries PatchActivityTitle, BusinessUnit, "Patched"| replace "'*'" WITH "*"| fillnull value=0
Labels (2)
0 Karma

niketn
Legend

Write the <change> event handler for your dropdown input and build SPL as needed based on label value selected. PS: $label$ and $value$ are the default values for input change event handler. As you can see in the first condition block label can be used directly (other option is to use value directly as well), i.e. no need to use that as token. However while setting the token I have used $value$ instead of $Type$ as we are handling the same token which we need to use.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...