Dashboards & Visualizations

How to use token filtering in CSV lookup to display dashboard or table ?

apomona
Explorer

Hi everybody, 

I am using Splunk Cloud since few days and I am stuck using token filtering in dashboard studio. 

My CSV called "vulnevolution.csv" is like this : 

Date                         Team             nbvuln 

01/01/2022          SSI               27038

01/01/2022          IT                   175600

01/02/2022          SSI                22733

01/02/2022          IT                   187273

I want to create a line dashboard that displays th nbvuln per time per team 

| inputlookup append=t vulnevolution.csv
| xyseries Date Team "nbvuln" | makecontinuous

It works perfectly fine 🙂  

BUT : 

I want to create a filtering token called teaminfra to perform a filter and only show the data of this team. 

The name of the token is teaminfra

Its values are static IT and SSI

 

Do you have any idea how I could do that ? I have the same request for an other CSV file where the Team column is exactly the same so I am planning to use this token for both dashboard (the second one is a table where I display comments)

Thank you everyone for helping me in advance. 

I tried to find this subject on the forum already, I found some explanation using dedup but I did not figure out how to make it work in my case. 

 

Best regards, 

 

Alexandre

 

 

Labels (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@apomona - You can use below in your search:

| inputlookup append=t vulnevolution.csv 
| search Team=$teaminfra|s$
| xyseries Date Team "nbvuln" | makecontinuous

This will filter the table results as you need them.

 

Kindly upvote the answer if it helps!!!

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

@apomona - You can use below in your search:

| inputlookup append=t vulnevolution.csv 
| search Team=$teaminfra|s$
| xyseries Date Team "nbvuln" | makecontinuous

This will filter the table results as you need them.

 

Kindly upvote the answer if it helps!!!

apomona
Explorer

Hi @VatsalJagani 

It really helped me and it works perfectly fine. 

Just so I know, if I want to select all Teams, what should I put as value in the token teaminfra ? For the moment it is "*" but it searches in the CSV the Team * and not SSI and IT. 

Best regards.

Alexande

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@apomona  Use the search I provided and I'm sure it should search all teams present in the lookup and "*".

 

apomona
Explorer

If no ever one has told before, you are awesome ^^ Thx  🙂

Gr0und_Z3r0
Contributor

Hi @apomona 

You can add a search clause in your query that maps to the token "teaminfra".

Something like this

 

| inputlookup append=t vulnevolution.csv 
| search Team="$teaminfra$"
| xyseries Date Team "nbvuln" 
| makecontinuous

 

 

Gr0und_Z3r0_0-1680829603916.pngGr0und_Z3r0_1-1680829615672.png

 

 

<form version="1.1">
  <label>Learning Splunk</label>
  <fieldset submitButton="false"></fieldset>
 
  <row>
    <panel>
      <title>Test Token</title>
      <input type="dropdown" token="teaminfra" searchWhenChanged="true">
        <label>Infra Team</label>
        <choice value="*">All Teams</choice>
        <default>*</default>
        <fieldForLabel>Team</fieldForLabel>
        <fieldForValue>Team</fieldForValue>
        <search>
          <query>| inputlookup append=t vulnevolution.csv
| stats dc(Team) by Team</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
      </input>
      <chart>
        <search>
          <query>| inputlookup append=t vulnevolution.csv 
| search Team="$teaminfra$"
| xyseries Date Team "nbvuln" 
| makecontinuous</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">connect</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

 



~ If the reply helps, an upvote would be appreciated.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...