Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a Table Dashboard with comparable results showing mismatches and strings in separate columns?

schrauf187
Engager
‎01-31-2018 05:27 AM

Hello Community,

I want to build a rather difficult Table Dashboard /Splunk ES features available.

Situation:
I have 3 different Log_Sources with a lot of Fields. Some of these Fields Match through all 3 Log_Files.
I want to create an overview Dashboard which shows a result for exp, the IP, and marks on the next column in which Log_source it finds the result.

Feature 1
The String can be shown in the Result column. The String can be fetched and shown from any Source it finds a value.

Feature 2
If the result mismatches for example:"in the SEP & CMDB source it should be marked in the Miss column.

I am pretty new to Splunk Development but I would gladly appreciate a rough idea how and if this can be done? How a Searches and simple XML-Code can look like.

Or even if this is a good Idea?

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

schrauf187
Engager
‎02-02-2018 06:08 AM

Made it work! Next Challenge 3 Log_Sources

|inputlookup cs_ad.csv

|eval missmatch=if(identity_ad=identity_sep," ","x")
|eval ad_has_value=if(identity_ad!="*","x"," ")
|eval sep_has_value=if(identity_sep!="*","x"," ")
| fillnull value=" " identity_ad, identity_sep
| eval result2=case(identity_ad==identity_sep, identity_ad,
identity_ad!=" " AND identity_sep!=" ", identity_ad+" / "+identity_sep,
identity_ad!=" ", identity_ad,
identity_sep!=" ", identity_sep,
1=1, "ERROR")
|table identity_ad identity_sep result2 ad_has_value sep_has_value missmatch

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

schrauf187
Engager
‎02-02-2018 06:08 AM

Made it work! Next Challenge 3 Log_Sources

|inputlookup cs_ad.csv

|eval missmatch=if(identity_ad=identity_sep," ","x")
|eval ad_has_value=if(identity_ad!="*","x"," ")
|eval sep_has_value=if(identity_sep!="*","x"," ")
| fillnull value=" " identity_ad, identity_sep
| eval result2=case(identity_ad==identity_sep, identity_ad,
identity_ad!=" " AND identity_sep!=" ", identity_ad+" / "+identity_sep,
identity_ad!=" ", identity_ad,
identity_sep!=" ", identity_sep,
1=1, "ERROR")
|table identity_ad identity_sep result2 ad_has_value sep_has_value missmatch
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...