Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk xml dashboard

pjac1029
Explorer
4 weeks ago

I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  

I want to prefix the selected user with "production\"
and run a query In a panel that retrieves firewall events  where the user = the new token value (prefixed with "production\") since the user in the firewall index is prefixed with "production".

The first time I select the user from the lookup the query retrieves  events.

the next time I select another user the set token does not prefix the token with "production".
instead it searches with the user selected value and returns no events.

the done block apparently only executes the first time through
below is xml.

Thanks in advance.

<label>firewall blocks</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="username" searchWhenChanged="true">
<label>username</label>
<fieldForLabel>username</fieldForLabel>
<fieldForValue>username</fieldForValue>
<search>
<query>| inputlookup test_users.csv | table username</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token="username">prod\\$username$</set>
</done>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>

index=firewall sourcetype=firewall user = "$username$" | table $username$ user action </query>

<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
Influencer
4 weeks ago

@pjac1029 

I reviewed the XML and implemented the solution using a token prefix strategy combined with test data via makeresults (since I currently don't have real firewall data).

I replaced the <done> block with a <change> block in the dropdown input to ensure that the prefix logic (e.g., "prod\") applies every time the user changes the selection. This resolved the issue where the token was only set once. I also validated the dropdown behavior and confirmed that event filtering works as expected based on the selected username.

<dashboard version="1.1">
<label>Firewall Blocks Dashboard (Test Data)</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="raw_username" searchWhenChanged="true">
<label>Select Username</label>
<fieldForLabel>username</fieldForLabel>
<fieldForValue>username</fieldForValue>
<search>
<query>| inputlookup test_users.csv | table username</query>
</search>
<change>
<set token="username">prod\\$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>
| makeresults 
| eval user="prod\\john.doe", action="blocked"
| append [| makeresults | eval user="prod\\jane.smith", action="allowed"]
| append [| makeresults | eval user="prod\\bob.jones", action="blocked"]
| search user="$username$"
| table user action
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</dashboard>

 

kiran_panchavat_3-1745773059483.png

 

kiran_panchavat_0-1745773001253.png

kiran_panchavat_1-1745773012428.png

kiran_panchavat_2-1745773026875.png

kiran_panchavat_4-1745773078997.png

kiran_panchavat_5-1745773087516.png

 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
4 weeks ago

Hi @pjac1029 

Simply add "<prefix>production</prefix>" within your <input></input> block like this:

livehybrid_0-1745787053759.png

livehybrid_1-1745787074286.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
Influencer
4 weeks ago

@pjac1029 

I reviewed the XML and implemented the solution using a token prefix strategy combined with test data via makeresults (since I currently don't have real firewall data).

I replaced the <done> block with a <change> block in the dropdown input to ensure that the prefix logic (e.g., "prod\") applies every time the user changes the selection. This resolved the issue where the token was only set once. I also validated the dropdown behavior and confirmed that event filtering works as expected based on the selected username.

<dashboard version="1.1">
<label>Firewall Blocks Dashboard (Test Data)</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="raw_username" searchWhenChanged="true">
<label>Select Username</label>
<fieldForLabel>username</fieldForLabel>
<fieldForValue>username</fieldForValue>
<search>
<query>| inputlookup test_users.csv | table username</query>
</search>
<change>
<set token="username">prod\\$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>
| makeresults 
| eval user="prod\\john.doe", action="blocked"
| append [| makeresults | eval user="prod\\jane.smith", action="allowed"]
| append [| makeresults | eval user="prod\\bob.jones", action="blocked"]
| search user="$username$"
| table user action
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</dashboard>

 

kiran_panchavat_3-1745773059483.png

 

kiran_panchavat_0-1745773001253.png

kiran_panchavat_1-1745773012428.png

kiran_panchavat_2-1745773026875.png

kiran_panchavat_4-1745773078997.png

kiran_panchavat_5-1745773087516.png

 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

pjac1029
Explorer
4 weeks ago

that worked ! Thanks so much for your help. I really appreciate it !

Reply
Solved! Jump to solution

kiran_panchavat
Influencer
4 weeks ago

@pjac1029 

You're most welcome! I'm glad to hear that it worked for you. 😊

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
Top