Dashboards & Visualizations

populating a search with a domain in user field

Engager

Essentially I have a working search but in the original data the username field is populated with a "\" entry eg "splunk\fred". so if I use this in a populating search for a drop-down box this won't work as a filter as you need to have this format "\\"

Anyone have any suggestions on how to manage this?

Original strings:

<![CDATA[sourcetype=pantraffic earliest=-24h | stats count by srcuser]]>


...
Applications
sourcetype=pantraffic srcuser="$username$" host="$site$" | top application
Application
Count
bar

...

Tags (2)
1 Solution

Legend

Try this:

  <populatingsearch fieldforvalue="src_user" fieldforlabel="src_user_label">
          <![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user 
          | eval src_user_label = replace(src_user,"\\","\\\\") ]]>
        </populatingsearch>
        <chart>
    ...
      <title>Applications</title>
      <searchtemplate>sourcetype=pan_traffic src_user="$username$" host="$site$" | top application</searchtemplate>

This should give you 2 fields for the drop-down: src_user, which you can use for your search, and src_user_label. src_user_label is the same field, but is in the form <domain>\\<username> instead of <domain>\<username> You have to double up on the \ because the replace function uses regular expressions.

View solution in original post

0 Karma

Legend

Try this:

  <populatingsearch fieldforvalue="src_user" fieldforlabel="src_user_label">
          <![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user 
          | eval src_user_label = replace(src_user,"\\","\\\\") ]]>
        </populatingsearch>
        <chart>
    ...
      <title>Applications</title>
      <searchtemplate>sourcetype=pan_traffic src_user="$username$" host="$site$" | top application</searchtemplate>

This should give you 2 fields for the drop-down: src_user, which you can use for your search, and src_user_label. src_user_label is the same field, but is in the form <domain>\\<username> instead of <domain>\<username> You have to double up on the \ because the replace function uses regular expressions.

View solution in original post

0 Karma

Legend

Ah - thank goodness for the missing slashes - I just inserted them for you. They make the following answer possible!

0 Karma

Engager

In this case yes, if it's not too hard i'd like to keep domain agnosic ie if i had to package this to allow for any domain.

I just noticed the slashes are missing from my post note there's supposed to be a slash between and a double slash at the end of the first paragraph.

Legend

Is it a known list of domains?