Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to have "EQUAL" and "NOT EQUAL TO" filters in DROPDOWN or INPUT PANELS

neerajs_81
Builder
‎10-08-2024 11:14 PM

Hello,  I have a dashboard that shows network traffic based on 4 simple text boxes for the user to input
SRC_IP
SRC_PORT
DEST_IP
DEST_PORT 

How can we create a filter such as "EQUAL" and "NOT EQUAL TO" options for a  DEST_IP input box ? 

Requirement is that end user should be to select "NOT EQUAL and enter an ip-address or range to exclude whatever they want to  in the input box and accordingly the panels will display the corresponding data.

For example , if they want to exclude all private ips (10.x.x.x)  from DEST_IP ,   they need to be able to select "NOT EQUAL TO" along with entering "10.0.0.0\8"  for this ask. 

Hope clear.  I tried creating MULTISELECT input box as follows but in MULTISELECT box, it does not let a user enter/type any data that they want to manually filter .

neerajs_81_0-1728454089409.png

neerajs_81_1-1728454344764.png

 

Any assistance will be highly appreciated.

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2024 03:53 AM

Keep your original text boxes so that the user can enter the ip address (range) but also have either a checkbox for the equal/not equal decision or a pair of radio buttons and use the token from this choice to modify your search.

View solution in original post

Reply
Solved! Jump to solution

neerajs_81
Builder
‎10-09-2024 04:29 AM

Thanks, i tried that it  works .    However,  it ends up looking this because as we are using 2 separate input types so there is a huge gap between the radiobox input and the Text box where user enters the IP.  The classic dashboard doesn't let me shrink the size of these boxes .  Is there any way to merge/ bring them closer under one Title / Header - "Destination IP"  ?

 

neerajs_81_0-1728473042966.png

Below is my code

 

<form version="1.1" theme="light">
  <label>test</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Destination IP</title>
      <input type="radio" token="condition" searchWhenChanged="true">
        <label></label>
        <choice value="=">EQUAL</choice>
        <choice value="!=">NOT EQUAL</choice>
        <search>
          <query/>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <default>=</default>
        <initialValue>=</initialValue>
      </input>
      <input type="text" token="dest_ip" searchWhenChanged="true">
        <label>dest_ip</label>
        <default></default>
      </input>
             <table>
        <title>dest_ip_graph</title>
        <search>
          <query>index=aws_vpc_flow_logs aws_account_id="*60036" dest_ip$condition$$dest_ip$ | stats count(vpcflow_action) as flowCount sum(packets) as pktCount sum(bytes) as sumBytes by aws_account_id instance_id src_ip src_port dest_ip dest_port action flow_direction interface_id vpc_id | eval pkt(million)=round((pktCount)/10000) | eval bytes(GB)=round((sumBytes)/1024/1024/1024) | iplocation src_ip | table aws_account_id instance_id src_ip src_port dest_ip dest_port action flow_direction interface_id vpc_id City Country flowCount pkt(million) bytes(GB) | sort - bytes(GB)</query>
          <earliest>-15m@m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
      </row>
     
</form>

 







 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2024 04:38 AM

You could try changing the order of the text field and the check boxes. Alternatively, you might be able to apply some CSS to modify the width of the check box panel (although this might get a bit messy as Splunk Classic Dashboards have a habit of modifying the width of panels to optimise screen real-estate).

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2024 03:53 AM

Keep your original text boxes so that the user can enter the ip address (range) but also have either a checkbox for the equal/not equal decision or a pair of radio buttons and use the token from this choice to modify your search.

Reply
Solved! Jump to solution

PaulPanther
Motivator
‎10-09-2024 04:44 AM

Based on this solution Solved: How do I add a textbox value to a multiselect inpu... - Splunk Community please try following xml:

<form version="1.1">
<label>IP List dynamically added to multiselect based on textbox input</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="tkn_ip">
<label>Enter a IP (range)</label>
</input>
<input type="multiselect" token="iplist">
<label>IP List</label>
<valuePrefix>clientip</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>field3</fieldForLabel>
<fieldForValue>field3</fieldForValue>
<search>
<query>| makeresults 
| eval previplist="$form.iplist$"
| eval newiplist="$tkn_ip$"
| makemv delim="," previplist
| makemv delim=" " newiplist
| eval field3=mvappend(previplist,newiplist)
| eval valcount= mvcount(field3)
| eval field3=if(valcount&gt;1,mvfilter(NOT match(field3,"all")),field3)
</query>
<done>
<condition match="$job.resultCount$&gt;0">
<eval token="form.iplist">case(isnotnull($result.field3$),$result.field3$)</eval>
</condition>
</done>
<finalized>
<condition match="$job.resultCount$&gt;0">
<unset token="tkn_ip"></unset>
</condition>
</finalized>
</search>
<choice value="=*">All</choice>
<change>
<eval token="form.iplist">if(mvcount('form.iplist')=0,"=*",if(mvcount('form.iplist')!=1,mvfilter('form.iplist'!="=*"),'form.iplist'))</eval>
<unset token="form.tkn_ip"></unset>
</change>
<default>=*</default>
<initialValue>=*</initialValue>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=_internal $iplist$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

 

0 Karma
Reply
Solved! Jump to solution

neerajs_81
Builder
‎10-09-2024 05:10 AM

Thanks for responding but the solution given there is different use case. The query and tokens mentioned in the XML code are very confusing to understand. 

0 Karma
Reply
Solved! Jump to solution

PaulPanther
Motivator
‎10-09-2024 05:21 AM

Sorry, my notebook ran out of battery.

To test the dashboard you only have to enter the ip (range) with either prefix = or ! = to black or white list the ip (range). The entered value in the text box will be passed to the multiselect field.

For the multiselect input you only have to change the prefix from "clientip" to the desired field that you wanna filter.

The search in the search panel can be replaced by your search 

That should be enough to verify if it is a proper solution for your problem. 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...