Dashboards & Visualizations

Using a result to aid in an ongoing search to display on a Dashboard

kisa
Explorer

Hi,

My main goal is to build a Dashboard/Form that accepts a user input of a filename. The Dashboard/Form then filters through the logs to display the movement of a file across numerous processes, displaying the filename and the processors name it goes through.

Doing the initial search by filename and displaying the logs retrieved (including the processors name) is pretty straight forward (I did this using a Form to allow a user input.

The problem I'm having is that in some of the processes the files name gets changed. The following steps outline what's happening and what I'd like displayed (the Splunk filtering steps/methods are only suggestive). Bold line depicting what would be shown in the Dashboard/form.

  • User inputs filename as "Filename1" and clicks search
  • Splunk searches logs and starts displaying results in order of date/time. E.G:-

30 July 2013 1100 Process1 filename=Filename1

  • Splunk checks log for new filname "False"

30 July 2013 1101 Process2 filename=Filename1

  • Splunk checks log for new filname "False"

30 July 2013 1102 Process3 filename=Filename1 newFilename=Filename2

  • Splunk checks log for new filname "True"
  • Continue search with new filename and display logs relating to new filename

30 July 2013 1103 Process4 filename=Filename2

  • Splunk checks log for new filname "False"

30 July 2013 1104 Process5 filename=Filename2 newFilename=Filename3

  • Splunk checks log for new filname "True"
  • Continue search with new filename and display logs relating to new filename

30 July 2013 1105 Process6 filename=Filename3

Sorry if it seems a bit long winded, that was the best way I could think of to explain it 🙂

Any help in how to construct such a Dashboard in either Simple or Advanced XML would be much appreciated.

I say this as it's looking like I will be required to become proficient in Splunk Dashboard creation and it was suggested that if I'm heading down that path that I should learn Advanced XML.
So I'm happy to hear any thoughts regarding that advice 🙂

Thanks and regards,

Mark

Tags (1)
1 Solution

HiroshiSatoh
Champion

I tried to make a custom command because it could not be resolved in the search command.
It is a simple command that only support data of the sample.


Date,Process,Filename,NewFilename
"2013/8/2 10:59",Process1,Filename0,
"2013/8/2 11:01",Process2,Filename1,
"2013/8/2 11:02",Process3,Filename1,Filename2
"2013/8/2 11:03",Process4,Filename2,
"2013/8/2 11:04",Process5,Filename2,Filename3
"2013/8/2 11:05",Process6,Filename3,
"2013/8/2 11:06",Process7,Filename4,
"2013/8/2 11:07",Process8,Filename5,
"2013/8/2 11:08",Process9,Filename6,


・・・・・・・|sort _time asec| myselect filename="Filename1"


[myselect]
filename = myselect.py


import sys,splunk.Intersplunk
from splunk.Intersplunk import getOrganizedResults, outputResults, getKeywordsAndOptions

results,dummyresults,settings = getOrganizedResults()
args, keyValues = getKeywordsAndOptions()

if keyValues.has_key('filename') == False:
print "Usage: | myselect filename=[filename]"
outputResults(results)
sys.exit(0)

saveFilename = keyValues['filename']

newresults = []
for result in results:
if result['Filename'] == saveFilename:
newresults.append(result)
if len(result['NewFilename']) > 0:
saveFilename = result['NewFilename']
splunk.Intersplunk.outputResults(newresults)

View solution in original post

HiroshiSatoh
Champion

This is a sample of the dashboard. Please correct the search statement.

<?xml version='1.0' encoding='utf-8'?>

<label>Myselect</label>
<searchTemplate>
    source="Process.csv" |sort _time asec| myselect filename=$Filename$
</searchTemplate>

<fieldset>

    <input type="dropdown" token="Filename">
        <label>Target Filename</label>
            <populatingSearch fieldForValue="Filename" fieldForLabel="Filename">
                <![CDATA[source="Process.csv" |table Filename|dedup Filename|sort Filename|where Filename!="Filename"]]>
            </populatingSearch>
    </input>

</fieldset>



Time Recorder
50
true


kisa
Explorer

Sorry, I hadn't forgot, just hadn't had a chance to test it. I'll check it now, but I can't guarantee I won't ask more questions 🙂

0 Karma

HiroshiSatoh
Champion

Please give me a check at the top left of the answer you have resolved.

0 Karma

kisa
Explorer

Excellent, thank you again HiroshiSatch.

0 Karma

HiroshiSatoh
Champion

I tried to make a custom command because it could not be resolved in the search command.
It is a simple command that only support data of the sample.


Date,Process,Filename,NewFilename
"2013/8/2 10:59",Process1,Filename0,
"2013/8/2 11:01",Process2,Filename1,
"2013/8/2 11:02",Process3,Filename1,Filename2
"2013/8/2 11:03",Process4,Filename2,
"2013/8/2 11:04",Process5,Filename2,Filename3
"2013/8/2 11:05",Process6,Filename3,
"2013/8/2 11:06",Process7,Filename4,
"2013/8/2 11:07",Process8,Filename5,
"2013/8/2 11:08",Process9,Filename6,


・・・・・・・|sort _time asec| myselect filename="Filename1"


[myselect]
filename = myselect.py


import sys,splunk.Intersplunk
from splunk.Intersplunk import getOrganizedResults, outputResults, getKeywordsAndOptions

results,dummyresults,settings = getOrganizedResults()
args, keyValues = getKeywordsAndOptions()

if keyValues.has_key('filename') == False:
print "Usage: | myselect filename=[filename]"
outputResults(results)
sys.exit(0)

saveFilename = keyValues['filename']

newresults = []
for result in results:
if result['Filename'] == saveFilename:
newresults.append(result)
if len(result['NewFilename']) > 0:
saveFilename = result['NewFilename']
splunk.Intersplunk.outputResults(newresults)

kisa
Explorer

Thank you very much for your reply HiroshSatoh. I've never used Python in Splunk before, so I'll need to work out how it's incorporated into a Dashboard.

But from my initial peruse over the code it does look promising :). I'll let you know how I go.

Thanks again.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...