Solved: Splunk dashboard filter by user input with multipl...

elend · ‎07-18-2024

Hello there, im creating a #Splunk Dashboards table that utilized to monitor user command. And i want to make it flexible and dynamic to view the table by user inpu
For now i already create this search string as table that can apply filter by Find Command and Exclude Command, but it only accept single string as filter.

index=os_linux sourcetype="bash_history"
| dedup timestamp
| fields _time process, dest, user_name
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process="$exclude_command$"
| table _time user_name process dest
| rename dest as hostname, process as user_command
| sort -_time

It is possible to make the exclude_command accept multiple values with some separator? or another option recomended.

ITWhisperer · ‎07-18-2024

You need to split process up if you want to treat the parts of the command line up as separate things. Try this

| eval parts=split(process," ")
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT parts IN ($exclude_command$)

View solution in original post

ITWhisperer · ‎07-18-2024

Depending on how you have set up your exclude_command token (which you haven't shared with us yet), you could try something like this

| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN $exclude_command$

elend · ‎07-18-2024

sorry for lack of information @ITWhisperer . Here's the full information for the dashboard:

<panel>
      <title>Logging Command History by User</title>
      <input type="text" token="drilldown_command" searchWhenChanged="true">
        <label>Find Command</label>
        <default>*</default>
      </input>
      <input type="text" token="exclude_command" searchWhenChanged="true">
        <label>Exclude Command</label>
        <default>NULL</default>
      </input>
      <table>
        <search>
          <query>index=unix_os sourcetype="bash_history"
| dedup timestamp 
| fields _time process, dest, user_name
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process="$exclude_command$"
| table _time user_name process dest
| rename dest as hostname, process as user_command
| sort -_time</query>
          <earliest>$time_global.earliest$</earliest>
          <latest>$time_global.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
      </table>
    </panel>

ITWhisperer · ‎07-18-2024

| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN ($exclude_command$)

Note that your user will have to enter the terms as quoted strings delimited by commas e.g. "commandA","commandB"

elend · ‎07-18-2024

With that option, exclude input was ignored.
But if with this one changes it can apply exclude input only one value.

| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN (*$exclude_command$*)

If search terms as quoted strings delimited by commas e.g. "commandA","commandB" it give no result:

ITWhisperer · ‎07-18-2024

What is with the asterisks? Remove them and try again

elend · ‎07-18-2024

if I remove the asterix, Exclude Command input ignore any input even single input will ignored so it only show table from find command.

ITWhisperer · ‎07-18-2024

Can you open the search (from the dashboard table) in a separate table and share the search being used?

elend · ‎07-18-2024

Here's the output from your provided search query, it ignoring the exclude input.

ITWhisperer · ‎07-18-2024

You need to split process up if you want to treat the parts of the command line up as separate things. Try this

| eval parts=split(process," ")
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT parts IN ($exclude_command$)

elend · ‎07-18-2024

*

Splunk dashboard filter by user input with multiple value from user command field

single value

token

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation