Dashboards & Visualizations

populating a search with a domain in user field

maboltins
Engager

Essentially I have a working search but in the original data the username field is populated with a "\" entry eg "splunk\fred". so if I use this in a populating search for a drop-down box this won't work as a filter as you need to have this format "\\"

Anyone have any suggestions on how to manage this?

Original strings:

<![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user]]>


...
Applications
sourcetype=pan_traffic src_user="$username$" host="$site$" | top application
Application
Count
bar

...

Tags (2)
1 Solution

lguinn2
Legend

Try this:

  <populatingsearch fieldforvalue="src_user" fieldforlabel="src_user_label">
          <![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user 
          | eval src_user_label = replace(src_user,"\\","\\\\") ]]>
        </populatingsearch>
        <chart>
    ...
      <title>Applications</title>
      <searchtemplate>sourcetype=pan_traffic src_user="$username$" host="$site$" | top application</searchtemplate>

This should give you 2 fields for the drop-down: src_user, which you can use for your search, and src_user_label. src_user_label is the same field, but is in the form <domain>\\<username> instead of <domain>\<username> You have to double up on the \ because the replace function uses regular expressions.

View solution in original post

0 Karma

lguinn2
Legend

Try this:

  <populatingsearch fieldforvalue="src_user" fieldforlabel="src_user_label">
          <![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user 
          | eval src_user_label = replace(src_user,"\\","\\\\") ]]>
        </populatingsearch>
        <chart>
    ...
      <title>Applications</title>
      <searchtemplate>sourcetype=pan_traffic src_user="$username$" host="$site$" | top application</searchtemplate>

This should give you 2 fields for the drop-down: src_user, which you can use for your search, and src_user_label. src_user_label is the same field, but is in the form <domain>\\<username> instead of <domain>\<username> You have to double up on the \ because the replace function uses regular expressions.

0 Karma

lguinn2
Legend

Ah - thank goodness for the missing slashes - I just inserted them for you. They make the following answer possible!

0 Karma

maboltins
Engager

In this case yes, if it's not too hard i'd like to keep domain agnosic ie if i had to package this to allow for any domain.

I just noticed the slashes are missing from my post note there's supposed to be a slash between and a double slash at the end of the first paragraph.

lguinn2
Legend

Is it a known list of domains?

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...