Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate a form input in a dashboard using drop-down list?

sanyam
New Member
‎12-23-2016 08:13 PM

Hi,

Going through the requirements, I just want to create a dashboard that inputs options as device vendors (1 drop-down) and device product (2 drop-down) .

Device vendor may be cisco, checkpoint and products may be asa, firewall.

On dynamically selecting both of them, the events should get displayed .

Please guide on the same.

Sanyam

0 Karma
Reply

gokadroid
Motivator
‎12-24-2016 01:46 AM

If the options are static try like this below taking care of the token usage within the search:

<form>
  <label>Dashboard Name</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tok_device_vendor">
      <label>Device Vendor</label>
      <choice value="cisco">cisco</choice>
      <choice value="checkpoint">checkpoint</choice>
    </input>
    <input type="dropdown" token="tok_products">
      <label>Products</label>
      <choice value="asa">asa</choice>
      <choice value="firewall">firewall</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Search Tokens - Vendor = $tok_device_vendor$  And Product = $tok_products$</title>
      <table>
        <search>
          <query>Use the tokens here in the search as $tok_device_vendor$   $tok_products$</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

sanyam
New Member
‎01-02-2017 06:39 AM

Hi Goka ,

Could you please look at the code and provide me a solution to fix the same ?? It would be really helpful .

Thanks ,
Sanyam

0 Karma
Reply

sanyam
New Member
‎12-31-2016 03:11 AM

Hi Goka ,

Based on choosing option dynamically from dropdown list , i created an indexer "tripleabc" and sourcetype is "eventscount" which contains CISCO , Microsoft and Checkpoint as device vendor field alerts or data . I used your input :-

EVENT INPUT THROUGH DASHBOARD15.

<input type="dropdown" token="device_vendor" searchWhenChanged="true">
   <label>device_vendor</label>
   <search>
     <query> index="tripleabc" earliest=-20d sourcetype="eventscount" | stats count by device_vendor </query>
   </search>
   <fieldForLabel>device_vendor</fieldForLabel>
   <fieldForValue>device_vendor</fieldForValue>
 </input>
<input type="dropdown" token="device_product" searchWhenChanged="true">
   <label>device_product</label>
   <search>
     <query>index= "tripleabc" earliest=-20d sourcetype= "eventscount" $device_vendor$ | stats count by device_product</query> 
   </search>
   <fieldForLabel>device_product</fieldForLabel>
   <fieldForValue>device_product</fieldForValue>
 </input>


<panel>
  <title>EVENT DISPLAY AS PER SELECTION</title>30.<table>
    <title>EVENT DATA DISPLAY</title>
    <search>20.
    <query>
      index= "tripleabc" sourcetype= "eventscount" $device_vendor$ | stats count by device_product
      </query>
      <earliest>-20d</earliest>
      <latest></latest>
    </search>25.<option name="count">10</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="rowNumbers">false</option>
    <option name="wrap">true</option>
  </table>
</panel>

However , the search produces no results . I just want in device vendor list ( CISCO , Checkpoint and Windows ) and in device product (ASA , Firewall , Microsoft Win) and on selection of CISCO from device vendor dropdown i should get only ASA in device product and on selection :-

I should get the statistics table depicting the alerts for last 24 hrs or 48 hrs .

Please suggest on the same . Code is attached for your reference .

Regards ,
Sanyam

0 Karma
Reply

gokadroid
Motivator
‎01-02-2017 03:18 PM

Initially you wanted the options to be dynamic and now the comment seems jst to get only a few static options so I am quite confused what's the exact need. However from the comment and code above few things I noted were:

  • Name of your token is same as your field name, can you make them different, in case, something like token as tok_device_vendor and field as device_vendor :




    index="tripleabc" earliest=-20d sourcetype="eventscount" | stats count by device_vendor

    device_vendor
    device_vendor

  • What is the need of a second drop down if you are using the same query to populate the panel as well? Shouldn't you be using tok_device_vendor token to populate the device_product query and then use both the tok_device_vendor and tok_device_product to update the panel query to reflect the choice (something like this):

<input type="dropdown" token="tok_device_product" searchWhenChanged="true">
<label>device_product</label>
<search>
<query>index= "tripleabc" earliest=-20d sourcetype= "eventscount" $tok_device_vendor$ | stats count by device_product</query>
</search>
<fieldForLabel>device_product</fieldForLabel>
<fieldForValue>device_product</fieldForValue>
</input>

And 

 <panel>
   <title>EVENT DISPLAY AS PER SELECTION</title>30.<table>
     <title>EVENT DATA DISPLAY</title>
     <search>20.
     <query>
       index= "tripleabc" sourcetype= "eventscount" $tok_device_vendor$  $tok_device_product$ | stats count by device_product
       </query>
       <earliest>-20d</earliest>
       <latest></latest>
     </search>25.<option name="count">10</option>
     <option name="dataOverlayMode">none</option>
     <option name="drilldown">cell</option>
     <option name="rowNumbers">false</option>
     <option name="wrap">true</option>
   </table>
 </panel>
0 Karma
Reply

gokadroid
Motivator
‎12-25-2016 01:34 PM

If you want to update the contents of dropdown dynamically, please use the query rather than static options. The query can control the dynamic requirements and the dynamic values depend upon:

1) what time duration you run the search for to list the selection elements.
2) which field you choose to plot.

You input field then will look like as follows:

<fieldset submitButton="false">
    <input type="dropdown" token="tok_device_vendor" searchWhenChanged="true">
      <label>Device Vendor</label>
      <search>
        <query>index=yourIndex sourcetype=yourSourcetype | stats count by yourDeviceVendorField</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>yourDeviceVendorField</fieldForLabel>
      <fieldForValue>yourDeviceVendorField</fieldForValue>
    </input>
    <input type="dropdown" token="tok_products" searchWhenChanged="true">
      <label>Products</label>
      <search>
        <query>index=yourIndex sourcetype=yourSourcetype | stats count by yourVendorField</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>yourVendorField</fieldForLabel>
      <fieldForValue>yourVendorField</fieldForValue>
    </input>
  </fieldset>

You can also choose to pass the token value from first drop down to second one. To do that, just change the query of second drop down as follows:

<query>index=yourIndex sourcetype=yourSourcetype $tok_device_vendor$ | stats count by yourVendorField</query>
0 Karma
Reply

sanyam
New Member
‎12-24-2016 02:32 AM

Could you help with query , want asa only on selection of cisco .

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎12-27-2016 06:02 PM

@sanyam - Did the answer provided by gokadroid help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply

sanyam
New Member
‎12-24-2016 02:03 AM

Hi Goka ,
Thanks for the input . Much appreciated !! . The options are not static , they are dynamic , based on the selection (that is why use dropdown ). Could you please help me out to write a query for the same ,

I just need , based on choosing cisco as device vendor , i should get asa as device product since the sourcetype stored in the indexer has only data as asa (device product) for cisco(device vendor) . Similarly with checkpoint and firewall .
Do i need to use if then else statements . Please guide on the same .

Regards
Sanyam

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...