Dashboards & Visualizations

Inputs panel for custom dashboard basd on win Infra

tdubicz
Engager

Hi Folks,

I have a problem with an ipnuts panel on a dash.

If I run the spl in the search I get the needed list.
If I'm copy/pasting it into my dynamic inputs dashboard panel' search, I get back nothing:

  <label>Domain</label>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>src_nt_domain="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <delimiter> OR </delimiter>
  <fieldForLabel>domain</fieldForLabel>
  <fieldForValue>domain</fieldForValue>
  <search>
    <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
</input>

So I have the win-infra role and all of the permissions. The custom dash' home is the search app, and the I am the owner.

I already tried to create a report and the result was the same.

Can anyone help me to make my multiselect inputs panel work?

Thanks in advance!

0 Karma
1 Solution

maciep
Champion

you're using "domain" as the field for the label and value in your dropdown, but your search only returns a dest_nt_domain. So use that field instead.

   <label>Domain</label>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>src_nt_domain="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <delimiter> OR </delimiter>
  <fieldForLabel>dest_nt_domain</fieldForLabel> <!-- Here -->
   <fieldForValue>dest_nt_domain</fieldForValue> <!-- And Here -->
   <search>
     <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
 </input>

View solution in original post

0 Karma

maciep
Champion

you're using "domain" as the field for the label and value in your dropdown, but your search only returns a dest_nt_domain. So use that field instead.

   <label>Domain</label>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>src_nt_domain="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <delimiter> OR </delimiter>
  <fieldForLabel>dest_nt_domain</fieldForLabel> <!-- Here -->
   <fieldForValue>dest_nt_domain</fieldForValue> <!-- And Here -->
   <search>
     <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
 </input>
0 Karma

tdubicz
Engager

I'm so blind! Thank You very much!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...