Dashboards & Visualizations

help on dropdown list in a chart panel

jip31
Motivator

hi

I use the search below in a chart panel

`CPU` 
| fields process_cpu_used_percent host process_name 
| where process_cpu_used_percent>50 
| eval host=upper(host) 
| dedup host process_name 
| eval process_name=case(process_name like "mfev%", "mfev", process_name like "mcdatrep", "mcdatrep", process_name=="mcshield", "mcshield", process_name=="amupdate", "amupdate", process_name=="McScript_InUse","McScript_InUse", process_name=="macompatsvc", "macompatsvc", process_name=="FrameworkService","FrameworkService", process_name=="McScanCheck", "McScanCheck", process_name=="Sysmon", "Sysmon")
| stats count(host) as Total by process_name 
| sort -Total 

I have added a dropdown list in order to filter by process_name

    <input type="dropdown" token="tok_filterprocess" searchWhenChanged="true">
            <label>Filter by Process</label>
            <default>*</default>
            <initialValue>*</initialValue>
            <choice value="McAFEE">McAFEE</choice>

All service you can see in my search concerns the "McAFEE" process
Even if i have added process_name=$tok_filterprocess$ in my search I dont know how to link all these services with the choice value "McAFEE"
Could you help me please?

Tags (1)
0 Karma
1 Solution

ololdach
Builder

Hi,

the way I understand your challenge, you try to map a set of process_name values to a "group" named "McAFEE". Such a way that when you select "McAFEE" in the dropdown, only see those process_name values in your table that are associated with McAFEE.

If this is, what you would like to do, the solution is a lookup table (process_group.csv) in a format like such:

process_name, process_group
"mcshield","McAFEE"
"amupdate","McAFEE"
...

Add the map to your search and select the matching fields:

 ...| dedup host process_name | lookup process_group.csv process_name | search process_group="$tok_filterprocess$" | ...

Hope it helps
Oliver

View solution in original post

0 Karma

ololdach
Builder

Hi,

the way I understand your challenge, you try to map a set of process_name values to a "group" named "McAFEE". Such a way that when you select "McAFEE" in the dropdown, only see those process_name values in your table that are associated with McAFEE.

If this is, what you would like to do, the solution is a lookup table (process_group.csv) in a format like such:

process_name, process_group
"mcshield","McAFEE"
"amupdate","McAFEE"
...

Add the map to your search and select the matching fields:

 ...| dedup host process_name | lookup process_group.csv process_name | search process_group="$tok_filterprocess$" | ...

Hope it helps
Oliver

0 Karma

jip31
Motivator

hi oliver, thanks for your proposal
but do you think is mandatory to do that with a lookup or there is another solution?
i would prefer without lookup...

0 Karma

ololdach
Builder

Hi, IMHO lookup is the fastest and most efficient way. You could use case statements, which make the code look clumsy and hard to maintain in a non-trivial setting. If you would like to use an index instead of .csv, you could index the map and do a ...| join type=inner process_name [ search index=yourindex process_group=$tok_filterprocess$ | table process_name, process_group] | ... in your search, adding some overhead and complexity. Alas, if you use the "inner" join, you can leave out the additional search that selects the matched processes, as this is implicitly being done in the join. Oliver

0 Karma

jip31
Motivator

thanks for all

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...