Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

SecureIA
Path Finder
‎01-12-2016 02:24 AM

Hi helpful people,

I have an interactive dashboard which can search different time scales and drilldown on users. Next, I wish to drilldown on two different locations; more specifically, two different gateways. My current search string is below:

host=CATSG14 "Failed login" GATEWAY="*" AND "Failed login" | stats count by USER_IDv3 | sort - count | search USER_IDv3="$USER_IDv3$" GATEWAY="$GATEWAY$"

My idea is to have a drop-down box which lists the gateways and from this, I can sort. The problem I'm getting at the moment is that no Statistics are being shown. Only when I delete the GATEWAY="$GATEWAY$" from the string, do stats finally appear. Where I am I going wrong?

Any help would be massively appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-12-2016 02:35 AM

It's because you don't have field GATEWAY in your stats function.

Instead of doing the filter, try putting it in the main search itself like 

host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" AND "Failed login"  AND USER_IDv3="$USER_IDv3$"| stats count by USER_IDv3
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎01-12-2016 05:03 AM

Hi mate, code wasn't tested but try this.

EDIT: Made some changes.

<form>
   <label>YourLabel</label>
   <fieldset submitButton="false">
     <input type="time" token="time1" searchWhenChanged="true">
       <label>Select Time</label>
       <default>
         <earliest>-7d@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="gateway" searchWhenChanged="true">
       <default>*</default>
       <label>Select gateway</label>
       <populatingSearch fieldForValue="GATEWAY" fieldForLabel="GATEWAY" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY="*" | dedup GATEWAY | table GATEWAY ]]>
       </populatingSearch>
     </input>
     <input type="text" token="userid" searchWhenChanged="true">
       <default>*</default>
       <label>Select UserID</label>
       <populatingSearch fieldForValue="USER_IDv3" fieldForLabel="USER_IDv3" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3="*" | dedup USER_IDv3 | table USER_IDv3 ]]>
       </populatingSearch>
     </input>
   </fieldset>
   <row>
     <panel>
         <title>example</title>
         <search>
           <query>host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3=$userid$| stats count by USER_IDv3 | sort - count</query>
           <earliest>$time1.earliest$</earliest>
           <latest>$time1.latest$</latest>
         </search>
          <form>
   <label>YourLabel</label>
   <fieldset submitButton="false">
     <input type="time" token="time1" searchWhenChanged="true">
       <label>Select Time</label>
       <default>
         <earliest>-7d@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="gateway" searchWhenChanged="true">
       <default>*</default>
       <label>Select gateway</label>
       <populatingSearch fieldForValue="GATEWAY" fieldForLabel="GATEWAY" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY="*" | dedup GATEWAY | table GATEWAY ]]>
       </populatingSearch>
     </input>
     <input type="text" token="userid" searchWhenChanged="true">
       <default>*</default>
       <label>Select UserID</label>
       <populatingSearch fieldForValue="USER_IDv3" fieldForLabel="USER_IDv3" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3="*" | dedup USER_IDv3 | table USER_IDv3 ]]>
       </populatingSearch>
     </input>
   </fieldset>
   <row>
     <panel>
         <title>example</title>
         <search>
           <query>host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3=$userid$| stats count by USER_IDv3 | sort - count</query>
           <earliest>$time1.earliest$</earliest>
           <latest>$time1.latest$</latest>
         </search>
       <!-- YOUR OPTION ATTRIBUTES
         <option name="charting.drilldown">all</option>
        -->
     </panel>
   </row>
</form>
0 Karma
Reply
Solved! Jump to solution

SecureIA
Path Finder
‎01-12-2016 08:19 AM

Cheers for replying, it doesn't seem to work I'm afraid.

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎01-12-2016 09:58 AM

Made some changes, check it out.

0 Karma
Reply
Solved! Jump to solution

SecureIA
Path Finder
‎01-13-2016 12:39 AM

Thank you so much 🙂 I managed to get it to work. All the best!!

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-12-2016 02:35 AM

It's because you don't have field GATEWAY in your stats function.

Instead of doing the filter, try putting it in the main search itself like 

host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" AND "Failed login"  AND USER_IDv3="$USER_IDv3$"| stats count by USER_IDv3
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

SecureIA
Path Finder
‎01-12-2016 05:11 AM

Sure,

Gateway Activity Clone
Dashboard showing activity on ARCA gateways

<input type="time" token="field1" searchWhenChanged="true">
  <label>Time</label>
  <default>
    <earliest>@d</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="text" token="USER_IDv3" searchWhenChanged="true">
  <label>User Search</label>
  <default>*</default>
  <prefix>*</prefix>
  <suffix>*</suffix>
</input>
<input type="dropdown" token="GATEWAY" searchWhenChanged="true">
  <label>Gateway Search</label>
  <default>*</default>
  <prefix>*</prefix>
  <suffix>*</suffix>
  <choice value="*">Overall</choice>
  <choice value="RLIGWAUTH">RLI</choice>
  <choice value="INTGWAUTH">Internet</choice>
  <valuePrefix>*</valuePrefix>
  <valueSuffix>*</valueSuffix>
</input>
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 06:00 PM

Could you please use a text for user and gateway and run the below search in search window

 host=CATSG14 "Failed login" GATEWAY="<your gateway value>" AND "Failed login"  AND USER_IDv3="<your user value>"| stats count by USER_IDv3

and make sure that you are getting some value.

Then use the below search in your dashboard and input the same values for user and gateway.

 host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" USER_IDv3="$USER_IDv3$"| stats count by USER_IDv3
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

SecureIA
Path Finder
‎01-13-2016 12:37 AM

Absolutely bang on mate!! Thank you so much!! Cheers!! 🙂

0 Karma
Reply
Solved! Jump to solution

SecureIA
Path Finder
‎01-12-2016 04:35 AM

Thanks for your reply, I've tried this and still nothing. When I put GATEWAY in the stats, it looks promising but then asks for numeric data.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 05:07 AM

Do you mind showing your XML snippet. If the tokens are substituted correctly, the below should work

host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" USER_IDv3="$USER_IDv3$"

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...