Dashboards & Visualizations

Paginator and Drill down search results are not working

ssingh5
Path Finder

In following code the Paginator and the Drill down search results are not working. Please do help me know the error in this code.


<!-- Splunk Chrome -->






*
True
1


dashboard

<!-- CODE -->


<b>Note: The search text box cannot left empty, Please include "*" instead of Null Value.</b>



<b>Note: The Drill Down option is only effected on User Names.</b>


True
Last 15 minutes
<!-- START text boxes and intentions for the form -->

bun
Account Name
*


tag="authentication" NOT (action=success) | search user=$bun$ | fillnull value=unknown action,app,src,src_user,dest,user | search action="failure" | convert timeformat="%Y %m %d %H:%M:%S" ctime(_time) | table _time user action Failure_Reason src eventtype | rename _time AS Time, user AS User, action AS Access, src AS Source_Machine, eventtype AS Logs_From
<!-- END text boxes for the form -->



results
Search: $search$ -- Count: $count$

events

False
all
results
True


index=activedirectory_security sourcetype=wineventlog:security eventtype=windows_account_lockout Account_Name=$bun$ | search user=$bun$ | search signature = "A user account was locked out" OR "A user account was unlocked" | search $click.name2$="$click.value2$"


results
Search: $search$ -- Count: $count$

events

False
50
False
events











Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

The main problem I think is that you had a Paginator configured to page through 'events', and it was driving a SimpleResultsTable that was told to page through 'results'.

There's a subtle difference in the Splunk search API between the underlying events and the final results. For example when you run a timechart over the last 4 hours, and you tell it to bucket by hours, there will only be 4 or 5 "results" -- one per time bucket. However the 'events' are still there and there can of course be any number of events behind those 4 or 5 "results".


update - There's another big problem, in that you're using $click.name2$="$click.value2$", and drilldown of "all" on the table. However you're renaming all of those fields up there, so when you use the renamed field names, they wont work in your drilldown search.... That needs to be rethought. Also I recommend not using drilldown of "all", but rather drilldown of "row", and just explicitly wire whatever field name(s) you want to use in the drilldown, with someField="$click.fields.someField$". click.name2 and click.value2 are not going to be of much use and since you're using Sideview Utils you're free to reference any field value(s) with $click.fields.someFieldName$.


There were a number of other things in this view making it hard to read so I went ahead and cleaned it up for you.

Exactly what I did is below the XML.

<view template="dashboard.html" issticky="False" stylesheet="bechtel_forms.css">


<label>Failed Login Source Search Form</label>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="maxSize">1</param>
  </module>
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="HTML" layoutPanel="panel_row1_col1">  
    <param name="html"><![CDATA[
      <b>Note: The Drill Down option is only effected on User Names.</b>
    ]]></param>
  </module>

  <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
    <param name="searchWhenChanged">True</param>
    <param name="default">Last 15 minutes</param>

    <module name="TextField">
      <param name="name">user</param>
      <param name="label">Account Name</param>
      <param name="default">*</param>
      <param name="template">$name$="$value$"</param>

      <module name="Search">
        <param name="search"> tag="authentication" NOT (action=success) $user$ | fillnull value=unknown action,app,src,src_user,dest,user | search action="failure" | convert timeformat="%Y %m %d %H:%M:%S" ctime(_time) | table _time user action Failure_Reason src eventtype | rename _time AS Time, user AS User, action AS Access, src AS Source_Machine, eventtype AS Logs_From </param>

        <module name="JobProgressIndicator"></module>

        <module name="SimpleResultsHeader">
          <param name="entityName">results</param>
          <param name="headerFormat">Search: $search$ -- Count: $count$</param>
        </module>

        <module name="Pager">

          <module name="SimpleResultsTable">
            <param name="displayRowNumbers">False</param>
            <param name="drilldown">all</param>
            <param name="entityName">results</param>

            <!-- you were using the argument twice in two different ways. 
            user="foo" and Account_Name="foo".  If you needed both email me and 
            I can help get it back -->
            <module name="Search">
              <param name="search">index=activedirectory_security sourcetype=wineventlog:security eventtype=windows_account_lockout $user$ | search signature = "A user account was locked out" OR "A user account was unlocked" | search $click.name2$="$click.value2$"</param>                          
              <module name="SimpleResultsHeader">
                <param name="entityName">results</param>
                <param name="headerFormat">Search: $search$ -- Count: $count$</param>
              </module>

              <module name="Pager">
                <param name="entityName">events</param>

                <module name="EventsViewer">
                  <param name="scrollerEnable">False</param>
                  <param name="maxLines">50</param>
                  <param name="displayRowNumbers">False</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>

autoRun="false" -- does nothing except confuse people so I removed it.

Your problem with the "you cant leave this field blank" is generally resolved by using the "template" param on the TextField. So I've gone ahead and done that. When the field is blank the entire search term dissappears now including the "user=" part.

However in one place you were using the value both as user="foo" and as Account_Name="foo". Since this was happening in a single search, possibly it was redundant. On the hope of it being redundant I removed it. If however you need both permutations in there as searchterms it can be done with ValueSetter and let me know and I can help.

JobProgressIndicator and SimpleResultsHeader dont need to 'contain' any modules so I de-indented everything that was inside those.

I changed your uses of Paginator to the Sideview Pager module, because it has more sensible defaults, and because it will work in cases where postprocess searches are involved (Paginator will fail in those cases).

NOTE -- You will probably be happier if you use the HTML module instead of SimpleResultsHeader.

NOTE -- if you're still using EventsViewer you might also want to look at the Sideview Events module.

Also, I've been finding that lots of people don't know there's a newer 2.1 version available from the Sideview site, so check that out if you're still on the old 1.3.X version from Splunkbase. http://sideviewapps.com/apps/sideview-utils

View solution in original post

sideview
SplunkTrust
SplunkTrust

The main problem I think is that you had a Paginator configured to page through 'events', and it was driving a SimpleResultsTable that was told to page through 'results'.

There's a subtle difference in the Splunk search API between the underlying events and the final results. For example when you run a timechart over the last 4 hours, and you tell it to bucket by hours, there will only be 4 or 5 "results" -- one per time bucket. However the 'events' are still there and there can of course be any number of events behind those 4 or 5 "results".


update - There's another big problem, in that you're using $click.name2$="$click.value2$", and drilldown of "all" on the table. However you're renaming all of those fields up there, so when you use the renamed field names, they wont work in your drilldown search.... That needs to be rethought. Also I recommend not using drilldown of "all", but rather drilldown of "row", and just explicitly wire whatever field name(s) you want to use in the drilldown, with someField="$click.fields.someField$". click.name2 and click.value2 are not going to be of much use and since you're using Sideview Utils you're free to reference any field value(s) with $click.fields.someFieldName$.


There were a number of other things in this view making it hard to read so I went ahead and cleaned it up for you.

Exactly what I did is below the XML.

<view template="dashboard.html" issticky="False" stylesheet="bechtel_forms.css">


<label>Failed Login Source Search Form</label>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="maxSize">1</param>
  </module>
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="HTML" layoutPanel="panel_row1_col1">  
    <param name="html"><![CDATA[
      <b>Note: The Drill Down option is only effected on User Names.</b>
    ]]></param>
  </module>

  <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
    <param name="searchWhenChanged">True</param>
    <param name="default">Last 15 minutes</param>

    <module name="TextField">
      <param name="name">user</param>
      <param name="label">Account Name</param>
      <param name="default">*</param>
      <param name="template">$name$="$value$"</param>

      <module name="Search">
        <param name="search"> tag="authentication" NOT (action=success) $user$ | fillnull value=unknown action,app,src,src_user,dest,user | search action="failure" | convert timeformat="%Y %m %d %H:%M:%S" ctime(_time) | table _time user action Failure_Reason src eventtype | rename _time AS Time, user AS User, action AS Access, src AS Source_Machine, eventtype AS Logs_From </param>

        <module name="JobProgressIndicator"></module>

        <module name="SimpleResultsHeader">
          <param name="entityName">results</param>
          <param name="headerFormat">Search: $search$ -- Count: $count$</param>
        </module>

        <module name="Pager">

          <module name="SimpleResultsTable">
            <param name="displayRowNumbers">False</param>
            <param name="drilldown">all</param>
            <param name="entityName">results</param>

            <!-- you were using the argument twice in two different ways. 
            user="foo" and Account_Name="foo".  If you needed both email me and 
            I can help get it back -->
            <module name="Search">
              <param name="search">index=activedirectory_security sourcetype=wineventlog:security eventtype=windows_account_lockout $user$ | search signature = "A user account was locked out" OR "A user account was unlocked" | search $click.name2$="$click.value2$"</param>                          
              <module name="SimpleResultsHeader">
                <param name="entityName">results</param>
                <param name="headerFormat">Search: $search$ -- Count: $count$</param>
              </module>

              <module name="Pager">
                <param name="entityName">events</param>

                <module name="EventsViewer">
                  <param name="scrollerEnable">False</param>
                  <param name="maxLines">50</param>
                  <param name="displayRowNumbers">False</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>

autoRun="false" -- does nothing except confuse people so I removed it.

Your problem with the "you cant leave this field blank" is generally resolved by using the "template" param on the TextField. So I've gone ahead and done that. When the field is blank the entire search term dissappears now including the "user=" part.

However in one place you were using the value both as user="foo" and as Account_Name="foo". Since this was happening in a single search, possibly it was redundant. On the hope of it being redundant I removed it. If however you need both permutations in there as searchterms it can be done with ValueSetter and let me know and I can help.

JobProgressIndicator and SimpleResultsHeader dont need to 'contain' any modules so I de-indented everything that was inside those.

I changed your uses of Paginator to the Sideview Pager module, because it has more sensible defaults, and because it will work in cases where postprocess searches are involved (Paginator will fail in those cases).

NOTE -- You will probably be happier if you use the HTML module instead of SimpleResultsHeader.

NOTE -- if you're still using EventsViewer you might also want to look at the Sideview Events module.

Also, I've been finding that lots of people don't know there's a newer 2.1 version available from the Sideview site, so check that out if you're still on the old 1.3.X version from Splunkbase. http://sideviewapps.com/apps/sideview-utils

ssingh5
Path Finder

It is fixed now

0 Karma

sideview
SplunkTrust
SplunkTrust

That means that you are sending foo= to the parser, without anything on the right-hand-side (RHS). Besides retracing your steps a bit, my advice is to throw an HTML module in there to look at the keys you're using...
ie dump out

click.fields.someField=$click.fields.someField$<br>
click.fields.someOtherField=$click.fields.someOtherField$<br>

etc.

0 Karma

ssingh5
Path Finder

Hi I am facing following error while running the searches.

Error in 'UnifiedSearch': Unable to parse the 'Missing RHS for comparison' search.

0 Karma

sideview
SplunkTrust
SplunkTrust

I'm glad to be of help.

0 Karma

ssingh5
Path Finder

Thank you very much, the information provided is very useful and knowledgeable, during coding these little things make huge improvement in the output.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...