Dashboards & Visualizations

Inputs panel for custom dashboard basd on win Infra

tdubicz
Engager

Hi Folks,

I have a problem with an ipnuts panel on a dash.

If I run the spl in the search I get the needed list.
If I'm copy/pasting it into my dynamic inputs dashboard panel' search, I get back nothing:

  <label>Domain</label>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>src_nt_domain="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <delimiter> OR </delimiter>
  <fieldForLabel>domain</fieldForLabel>
  <fieldForValue>domain</fieldForValue>
  <search>
    <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
</input>

So I have the win-infra role and all of the permissions. The custom dash' home is the search app, and the I am the owner.

I already tried to create a report and the result was the same.

Can anyone help me to make my multiselect inputs panel work?

Thanks in advance!

0 Karma
1 Solution

maciep
Champion

you're using "domain" as the field for the label and value in your dropdown, but your search only returns a dest_nt_domain. So use that field instead.

   <label>Domain</label>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>src_nt_domain="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <delimiter> OR </delimiter>
  <fieldForLabel>dest_nt_domain</fieldForLabel> <!-- Here -->
   <fieldForValue>dest_nt_domain</fieldForValue> <!-- And Here -->
   <search>
     <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
 </input>

View solution in original post

0 Karma

maciep
Champion

you're using "domain" as the field for the label and value in your dropdown, but your search only returns a dest_nt_domain. So use that field instead.

   <label>Domain</label>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>src_nt_domain="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <delimiter> OR </delimiter>
  <fieldForLabel>dest_nt_domain</fieldForLabel> <!-- Here -->
   <fieldForValue>dest_nt_domain</fieldForValue> <!-- And Here -->
   <search>
     <query>index=* (eventtype=msad-failed-user-logons OR eventtype=msad-account-lockout) | fields dest_nt_domain | dedup dest_nt_domain | table dest_nt_domain</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
 </input>
0 Karma

tdubicz
Engager

I'm so blind! Thank You very much!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...