Hi everybody,
I am using Splunk Cloud since few days and I am stuck using token filtering in dashboard studio.
My CSV called "vulnevolution.csv" is like this :
Date Team nbvuln
01/01/2022 SSI 27038
01/01/2022 IT 175600
01/02/2022 SSI 22733
01/02/2022 IT 187273
I want to create a line dashboard that displays th nbvuln per time per team
| inputlookup append=t vulnevolution.csv
| xyseries Date Team "nbvuln" | makecontinuous
It works perfectly fine 🙂
BUT :
I want to create a filtering token called teaminfra to perform a filter and only show the data of this team.
The name of the token is teaminfra
Its values are static IT and SSI
Do you have any idea how I could do that ? I have the same request for an other CSV file where the Team column is exactly the same so I am planning to use this token for both dashboard (the second one is a table where I display comments)
Thank you everyone for helping me in advance.
I tried to find this subject on the forum already, I found some explanation using dedup but I did not figure out how to make it work in my case.
Best regards,
Alexandre
@apomona - You can use below in your search:
| inputlookup append=t vulnevolution.csv
| search Team=$teaminfra|s$
| xyseries Date Team "nbvuln" | makecontinuous
This will filter the table results as you need them.
Kindly upvote the answer if it helps!!!
@apomona - You can use below in your search:
| inputlookup append=t vulnevolution.csv
| search Team=$teaminfra|s$
| xyseries Date Team "nbvuln" | makecontinuous
This will filter the table results as you need them.
Kindly upvote the answer if it helps!!!
It really helped me and it works perfectly fine.
Just so I know, if I want to select all Teams, what should I put as value in the token teaminfra ? For the moment it is "*" but it searches in the CSV the Team * and not SSI and IT.
Best regards.
Alexande
@apomona Use the search I provided and I'm sure it should search all teams present in the lookup and "*".
If no ever one has told before, you are awesome ^^ Thx 🙂
Hi @apomona
You can add a search clause in your query that maps to the token "teaminfra".
Something like this
| inputlookup append=t vulnevolution.csv
| search Team="$teaminfra$"
| xyseries Date Team "nbvuln"
| makecontinuous
<form version="1.1">
<label>Learning Splunk</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<title>Test Token</title>
<input type="dropdown" token="teaminfra" searchWhenChanged="true">
<label>Infra Team</label>
<choice value="*">All Teams</choice>
<default>*</default>
<fieldForLabel>Team</fieldForLabel>
<fieldForValue>Team</fieldForValue>
<search>
<query>| inputlookup append=t vulnevolution.csv
| stats dc(Team) by Team</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
<chart>
<search>
<query>| inputlookup append=t vulnevolution.csv
| search Team="$teaminfra$"
| xyseries Date Team "nbvuln"
| makecontinuous</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</form>
~ If the reply helps, an upvote would be appreciated.