Dashboards & Visualizations

How to create a dashboard with a drop-down form where users can select fields from a CSV file to filter search results on indexed events?

splgeek
Explorer

I have logs that have information like the following

BROWSER_TYPE
USER_NAME
IP Address

I have a CSV file that I have uploaded, given Global permission.

That CSV file contains:

FIRST_NAME  LAST_NAME   FULL_NAME   USER_ID USERNAME    EMAIL   WORKDOTCOM_USER User.Employee_Type__c   User.Group__c   DIVISION    DEPARTMENT  User.Business_Unit__c   User.Country__c PROFILE CREATED_DATE    LAST_UPDATE LAST_LOGIN

What I want to add to my Dashboard:
In My dashboard, I want to add drop-down form so user can select DIVISION, DEPARTMENT from the csv and filter data accordingly

0 Karma

sundareshr
Legend

First, create two dropdown. 1 with token="div" second with token="dept". The queries for the two should be

<input type="dropdown" token="div">
<search><query>| inputlookup csvfile.csv | fields DIVISION | dedup DIVISION | sort DIVISION</query></search>
...
</input>

<input type="dropdown" token="dept">
<search><query>| inputlookup csvfile.csv | where DIVISION=$div$ | dedup dept | field dept | sort dept</query></search>
...
</input>

Then, add a table

  <table>
    <search>
      <query>index=foo sourcetype=bar | lookup csvfile.csv USERNAME AS  USER_NAME OUTPUT DIVISION DEPARTMENT  | where DEPARTMENT=$dept$ AND DIVISION=$div$ | table <<list of fields you would like to display>> </query>
      <earliest>@d</earliest>
      <latest>now</latest>
    </search>
  </table>
0 Karma

splgeek
Explorer

Thanks
1st token Div was fine, it populated results in the dropdown

2nd token dept did not work- wont populate anything. - I tried this too | inputlookup All_Users.csv | where DEPARTMENT=$dept$ | dedup DEPARTMENT| fields DEPARTMENT| sort DEPARTMENT

also
when you say Add Table, what do you mean by that

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...