Dashboards & Visualizations
Highlighted

I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

Path Finder

Hi helpful people,

I have an interactive dashboard which can search different time scales and drilldown on users. Next, I wish to drilldown on two different locations; more specifically, two different gateways. My current search string is below:

host=CATSG14 "Failed login" GATEWAY="*" AND "Failed login" | stats count by USER_IDv3 | sort - count | search USER_IDv3="$USER_IDv3$" GATEWAY="$GATEWAY$"

My idea is to have a drop-down box which lists the gateways and from this, I can sort. The problem I'm getting at the moment is that no Statistics are being shown. Only when I delete the GATEWAY="$GATEWAY$" from the string, do stats finally appear. Where I am I going wrong?

Any help would be massively appreciated.

0 Karma
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

SplunkTrust
SplunkTrust

It's because you don't have field GATEWAY in your stats function.

Instead of doing the filter, try putting it in the main search itself like

host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" AND "Failed login"  AND USER_IDv3="$USER_IDv3$"| stats count by USER_IDv3 

View solution in original post

0 Karma
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

Path Finder

Thanks for your reply, I've tried this and still nothing. When I put GATEWAY in the stats, it looks promising but then asks for numeric data.

0 Karma
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

SplunkTrust
SplunkTrust

Do you mind showing your XML snippet. If the tokens are substituted correctly, the below should work

host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" USERIDv3="$USERIDv3$"

0 Karma
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

Path Finder

Sure,

Gateway Activity Clone
Dashboard showing activity on ARCA gateways

<input type="time" token="field1" searchWhenChanged="true">
  <label>Time</label>
  <default>
    <earliest>@d</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="text" token="USER_IDv3" searchWhenChanged="true">
  <label>User Search</label>
  <default>*</default>
  <prefix>*</prefix>
  <suffix>*</suffix>
</input>
<input type="dropdown" token="GATEWAY" searchWhenChanged="true">
  <label>Gateway Search</label>
  <default>*</default>
  <prefix>*</prefix>
  <suffix>*</suffix>
  <choice value="*">Overall</choice>
  <choice value="RLIGWAUTH">RLI</choice>
  <choice value="INTGWAUTH">Internet</choice>
  <valuePrefix>*</valuePrefix>
  <valueSuffix>*</valueSuffix>
</input>
0 Karma
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

SplunkTrust
SplunkTrust

Could you please use a text for user and gateway and run the below search in search window

 host=CATSG14 "Failed login" GATEWAY="<your gateway value>" AND "Failed login"  AND USER_IDv3="<your user value>"| stats count by USER_IDv3

and make sure that you are getting some value.

Then use the below search in your dashboard and input the same values for user and gateway.

 host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" USER_IDv3="$USER_IDv3$"| stats count by USER_IDv3 
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

Path Finder

Absolutely bang on mate!! Thank you so much!! Cheers!! 🙂

0 Karma
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

Motivator

Hi mate, code wasn't tested but try this.

EDIT: Made some changes.

<form>
   <label>YourLabel</label>
   <fieldset submitButton="false">
     <input type="time" token="time1" searchWhenChanged="true">
       <label>Select Time</label>
       <default>
         <earliest>-7d@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="gateway" searchWhenChanged="true">
       <default>*</default>
       <label>Select gateway</label>
       <populatingSearch fieldForValue="GATEWAY" fieldForLabel="GATEWAY" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY="*" | dedup GATEWAY | table GATEWAY ]]>
       </populatingSearch>
     </input>
     <input type="text" token="userid" searchWhenChanged="true">
       <default>*</default>
       <label>Select UserID</label>
       <populatingSearch fieldForValue="USER_IDv3" fieldForLabel="USER_IDv3" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3="*" | dedup USER_IDv3 | table USER_IDv3 ]]>
       </populatingSearch>
     </input>
   </fieldset>
   <row>
     <panel>
         <title>example</title>
         <search>
           <query>host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3=$userid$| stats count by USER_IDv3 | sort - count</query>
           <earliest>$time1.earliest$</earliest>
           <latest>$time1.latest$</latest>
         </search>
          <form>
   <label>YourLabel</label>
   <fieldset submitButton="false">
     <input type="time" token="time1" searchWhenChanged="true">
       <label>Select Time</label>
       <default>
         <earliest>-7d@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="gateway" searchWhenChanged="true">
       <default>*</default>
       <label>Select gateway</label>
       <populatingSearch fieldForValue="GATEWAY" fieldForLabel="GATEWAY" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY="*" | dedup GATEWAY | table GATEWAY ]]>
       </populatingSearch>
     </input>
     <input type="text" token="userid" searchWhenChanged="true">
       <default>*</default>
       <label>Select UserID</label>
       <populatingSearch fieldForValue="USER_IDv3" fieldForLabel="USER_IDv3" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3="*" | dedup USER_IDv3 | table USER_IDv3 ]]>
       </populatingSearch>
     </input>
   </fieldset>
   <row>
     <panel>
         <title>example</title>
         <search>
           <query>host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3=$userid$| stats count by USER_IDv3 | sort - count</query>
           <earliest>$time1.earliest$</earliest>
           <latest>$time1.latest$</latest>
         </search>
       <!-- YOUR OPTION ATTRIBUTES
         <option name="charting.drilldown">all</option>
        -->
     </panel>
   </row>
</form>
0 Karma
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

Path Finder

Cheers for replying, it doesn't seem to work I'm afraid.

0 Karma
Highlighted

Re: I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

Motivator

Made some changes, check it out.

0 Karma