Dashboards & Visualizations

How to create a dashboard with a drop-down form where users can select fields from a CSV file to filter search results on indexed events?

splgeek
Explorer

I have logs that have information like the following

BROWSER_TYPE
USER_NAME
IP Address

I have a CSV file that I have uploaded, given Global permission.

That CSV file contains:

FIRST_NAME  LAST_NAME   FULL_NAME   USER_ID USERNAME    EMAIL   WORKDOTCOM_USER User.Employee_Type__c   User.Group__c   DIVISION    DEPARTMENT  User.Business_Unit__c   User.Country__c PROFILE CREATED_DATE    LAST_UPDATE LAST_LOGIN

What I want to add to my Dashboard:
In My dashboard, I want to add drop-down form so user can select DIVISION, DEPARTMENT from the csv and filter data accordingly

0 Karma

sundareshr
Legend

First, create two dropdown. 1 with token="div" second with token="dept". The queries for the two should be

<input type="dropdown" token="div">
<search><query>| inputlookup csvfile.csv | fields DIVISION | dedup DIVISION | sort DIVISION</query></search>
...
</input>

<input type="dropdown" token="dept">
<search><query>| inputlookup csvfile.csv | where DIVISION=$div$ | dedup dept | field dept | sort dept</query></search>
...
</input>

Then, add a table

  <table>
    <search>
      <query>index=foo sourcetype=bar | lookup csvfile.csv USERNAME AS  USER_NAME OUTPUT DIVISION DEPARTMENT  | where DEPARTMENT=$dept$ AND DIVISION=$div$ | table <<list of fields you would like to display>> </query>
      <earliest>@d</earliest>
      <latest>now</latest>
    </search>
  </table>
0 Karma

splgeek
Explorer

Thanks
1st token Div was fine, it populated results in the dropdown

2nd token dept did not work- wont populate anything. - I tried this too | inputlookup All_Users.csv | where DEPARTMENT=$dept$ | dedup DEPARTMENT| fields DEPARTMENT| sort DEPARTMENT

also
when you say Add Table, what do you mean by that

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...