Dashboards & Visualizations

Inputs panel for custom dashboard basd on win Infra

tdubicz
Engager

Hi Folks,

I have a problem with an ipnuts panel on a dash.

If I run the spl in the search I get the needed list.
If I'm copy/pasting it into my dynamic inputs dashboard panel' search, I get back nothing:

  <label>Domain</label>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>src_nt_domain="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <delimiter> OR </delimiter>
  <fieldForLabel>domain</fieldForLabel>
  <fieldForValue>domain</fieldForValue>
  <search>
    <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
</input>

So I have the win-infra role and all of the permissions. The custom dash' home is the search app, and the I am the owner.

I already tried to create a report and the result was the same.

Can anyone help me to make my multiselect inputs panel work?

Thanks in advance!

0 Karma
1 Solution

maciep
Champion

you're using "domain" as the field for the label and value in your dropdown, but your search only returns a dest_nt_domain. So use that field instead.

   <label>Domain</label>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>src_nt_domain="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <delimiter> OR </delimiter>
  <fieldForLabel>dest_nt_domain</fieldForLabel> <!-- Here -->
   <fieldForValue>dest_nt_domain</fieldForValue> <!-- And Here -->
   <search>
     <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
 </input>

View solution in original post

0 Karma

maciep
Champion

you're using "domain" as the field for the label and value in your dropdown, but your search only returns a dest_nt_domain. So use that field instead.

   <label>Domain</label>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>src_nt_domain="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <delimiter> OR </delimiter>
  <fieldForLabel>dest_nt_domain</fieldForLabel> <!-- Here -->
   <fieldForValue>dest_nt_domain</fieldForValue> <!-- And Here -->
   <search>
     <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
 </input>
0 Karma

tdubicz
Engager

I'm so blind! Thank You very much!

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...