Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk dashboard filter by user input with multiple value from user command field

elend
Path Finder
‎07-18-2024 01:54 AM

Hello there, im creating a #Splunk Dashboards table that utilized to monitor user command. And i want to make it flexible and dynamic to view the table by user inpu
For now i already create this search string as table that can apply filter by Find Command and Exclude Command, but it only accept single string as filter.

 

index=os_linux sourcetype="bash_history"
| dedup timestamp
| fields _time process, dest, user_name
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process="$exclude_command$"
| table _time user_name process dest
| rename dest as hostname, process as user_command
| sort -_time

 

 

It is possible to make the exclude_command accept multiple values with some separator? or another option recomended.

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 11:35 PM

You need to split process up if you want to treat the parts of the command line up as separate things. Try this

| eval parts=split(process," ")
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT parts IN ($exclude_command$)

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 02:05 AM

Depending on how you have set up your exclude_command token (which you haven't shared with us yet), you could try something like this

| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN $exclude_command$
0 Karma
Reply
Solved! Jump to solution

elend
Path Finder
‎07-18-2024 02:22 AM

sorry for lack of information @ITWhisperer . Here's the full information for the dashboard:

 

<panel>
      <title>Logging Command History by User</title>
      <input type="text" token="drilldown_command" searchWhenChanged="true">
        <label>Find Command</label>
        <default>*</default>
      </input>
      <input type="text" token="exclude_command" searchWhenChanged="true">
        <label>Exclude Command</label>
        <default>NULL</default>
      </input>
      <table>
        <search>
          <query>index=unix_os sourcetype="bash_history"
| dedup timestamp 
| fields _time process, dest, user_name
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process="$exclude_command$"
| table _time user_name process dest
| rename dest as hostname, process as user_command
| sort -_time</query>
          <earliest>$time_global.earliest$</earliest>
          <latest>$time_global.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
      </table>
    </panel>

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 03:01 AM 
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN ($exclude_command$)

Note that your user will have to enter the terms as quoted strings delimited by commas e.g. "commandA","commandB"

0 Karma
Reply
Solved! Jump to solution

elend
Path Finder
‎07-18-2024 03:31 AM

With that option, exclude input was ignored.
But if with this one changes it can apply exclude input only one value.

| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN (*$exclude_command$*)

 If search terms as quoted strings delimited by commas e.g. "commandA","commandB" it give no result:
quoted-exclude.jpegsingle-exclude.jpeg

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 03:57 AM

What is with the asterisks? Remove them and try again

0 Karma
Reply
Solved! Jump to solution

elend
Path Finder
‎07-18-2024 04:05 AM

if I remove the asterix, Exclude Command input ignore any input even single input will ignored so it only show table from find command. 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 04:36 AM

Can you open the search (from the dashboard table) in a separate table and share the search being used?

0 Karma
Reply
Solved! Jump to solution

elend
Path Finder
‎07-18-2024 07:58 PM

Here's the output from your provided search query, it ignoring the exclude input.
output.jpeg

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 11:35 PM

You need to split process up if you want to treat the parts of the command line up as separate things. Try this

| eval parts=split(process," ")
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT parts IN ($exclude_command$)
Reply
Solved! Jump to solution

elend
Path Finder
‎07-18-2024 02:20 AM

*

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...