Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamically filter table data

thicks1203
Explorer
‎04-18-2020 07:57 PM

I have a table with 6 columns of information that I am trying to filter dynamically:

date_time src_MAC dst_MAC src_IP dst_IP protocol

I have no problem setting the table up, but I would like user to filter the information dynamically across all the fields using dropdown or text box inputs. I have been able to filter on a single field using tokens, but when I try with multiple fields it breaks the table (each row consists of a single event, with multiple tokens it breaks the event) . Thank you for any help you can provide.

Example:
date_time src_MAC dst_MAC src_IP dst_IP protocol
2015-04-18 18:57:55.042547 ff:ff:ff:ff:ff:ff 78:24:af:43:0c:75 Actionte_25:fc:ff ASUSTekC_43:0c:75 ARP

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thicks1203
Explorer
‎04-19-2020 06:34 PM

Figured it out so I thought I would share.

The drop downs are first.

<row>    
    <panel>  
      <input type="dropdown" token="some_usr_tok" searchWhenChanged="true">
        <label>Filter by $userChoicetok$</label>
        <choice value="*">ALL</choice>
        <default>ALL</default>
        <search>
          <query>index=wired_index MAC!=MAC | stats count by MAC | sort MAC</query>
        </search>
        <fieldForLabel>MAC</fieldForLabel>
        <fieldForValue>MAC</fieldForValue>
      </input>  
      <input type="dropdown" token="another_usr_tok" searchWhenChanged="true">
        <label>Filter by $userNewchoice$</label>
        <choice value="*">ALL</choice>
        <default>ALL</default>
        <search>
          <query>index=wired_index IP!=IP | stats count by IP | sort IP</query>
        </search>
        <fieldForLabel>IP</fieldForLabel>
        <fieldForValue>IP</fieldForValue>
      </input>        
   </panel>
  </row>

I used five of these, but for brevity I only listed two.

Now the table.

<row>
    <panel id="scroll_2">
      <table depends="$showWired$">
        <search>
          <query>index=wired_index date_time!=date_time | search MAC=$some_usr_tok$  | search IP=$another_usr_tok$ 
         | stats list(MAC) as MAC by date_time IPd| table date_time MAC IP| sort -date_time</query>
          <earliest>0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">true</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>

This should let you filter down as specific as you like, there are probably more elegant ways, but it works. I would like to thank to4kawa for trying to help me work through this. どうもありがとうございました.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thicks1203
Explorer
‎04-19-2020 06:34 PM

Figured it out so I thought I would share.

The drop downs are first.

<row>    
    <panel>  
      <input type="dropdown" token="some_usr_tok" searchWhenChanged="true">
        <label>Filter by $userChoicetok$</label>
        <choice value="*">ALL</choice>
        <default>ALL</default>
        <search>
          <query>index=wired_index MAC!=MAC | stats count by MAC | sort MAC</query>
        </search>
        <fieldForLabel>MAC</fieldForLabel>
        <fieldForValue>MAC</fieldForValue>
      </input>  
      <input type="dropdown" token="another_usr_tok" searchWhenChanged="true">
        <label>Filter by $userNewchoice$</label>
        <choice value="*">ALL</choice>
        <default>ALL</default>
        <search>
          <query>index=wired_index IP!=IP | stats count by IP | sort IP</query>
        </search>
        <fieldForLabel>IP</fieldForLabel>
        <fieldForValue>IP</fieldForValue>
      </input>        
   </panel>
  </row>

I used five of these, but for brevity I only listed two.

Now the table.

<row>
    <panel id="scroll_2">
      <table depends="$showWired$">
        <search>
          <query>index=wired_index date_time!=date_time | search MAC=$some_usr_tok$  | search IP=$another_usr_tok$ 
         | stats list(MAC) as MAC by date_time IPd| table date_time MAC IP| sort -date_time</query>
          <earliest>0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">true</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>

This should let you filter down as specific as you like, there are probably more elegant ways, but it works. I would like to thank to4kawa for trying to help me work through this. どうもありがとうございました.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-19-2020 02:26 PM

first drop down:

 <search>
   <query>index=some_index src_MAC != src_MAC| stats count by src_MAC</query>
   <earliest>0</earliest>
 </search>

this query searches src_MAC that have not "src_MAC" text and aggregate.
so, second is same one.

main:

     <search>
       <query>index=some_index| eval src_MAC= $srcmac$ | eval dst_MAC= $dstmac$ | table date_time src_MAC dst_MAC | sort -date_time</query>

this query result:

date_time src_MAC dst_MAC
xx:xx:xx  ff:ff:ff:ff:ff:ff 78:24:af:43:0c:75

I don't know what you want.

Why is there following:

| table $table_select_token$

or

| table date_time src_MAC dst_MAC src_IP dst_IP protocol
| fields - $fields_except_token$

reference:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Table
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields

0 Karma
Reply
Solved! Jump to solution

thicks1203
Explorer
‎04-19-2020 03:08 PM

I dont know what table $table_select_token$ is, thats not in the code I provided. I broke the code up so it is a little bit easier to read. The two drop downs are looking for different things, one is the source, the other is the destination. I guess the easiest way to explain what I am looking to do is, I want a table that I can sort and filter like an excel spreadsheet that is populated by data points indexed by splunk.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-19-2020 03:45 PM

sorry, I don't know what you want.
sort: use sort
filter: what's this?
column? 

_time A B C → _time A C

row?

_time A B C
XX 1 2 3
YY 4 5 6
ZZ 7 8 9
→
_time A B C
XX 1 2 3
ZZ 7 8 9

fields value? 

_time A B C
XX 1 2 3
→
_time A B C
XX 1  3

the easiest way I guess not.
I guess I can't help you, sorry to waste your time.

0 Karma
Reply
Solved! Jump to solution

thicks1203
Explorer
‎04-19-2020 04:35 PM

You are not wasting my time, I appreciate you trying to help.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-18-2020 10:42 PM

table with 6 row? not column?

If you create dashboard, it's easy. make token and send to table as args

0 Karma
Reply
Solved! Jump to solution

thicks1203
Explorer
‎04-19-2020 05:24 AM

edited to changed rows to columns.

I can set the table with multiple tokens and it works, but as soon as I change a token using a drop down, it breaks. I need it to keep integrity across the rows, so it should only display the data if the answer= src_MAC AND dst_MAC, the date_time field would changed based on the filtered information.

First drop down:

<panel>
  <input type="dropdown" token="srcmac">
    <default>All</default>
    <choice value="src_MAC">All</choice>
    <fieldForLabel>src_MAC</fieldForLabel>
    <fieldForValue>src_MAC</fieldForValue>
    <search>
      <query>index=some_index src_MAC != src_MAC| stats count by src_MAC</query>
      <earliest>0</earliest>
    </search>
  </input>
</panel>

Second drop down:

  <input type="dropdown" token="dstmac">
    <default>All</default>
    <choice value="dst_MAC">All</choice>
    <fieldForLabel>dst_MAC</fieldForLabel>
    <fieldForValue>dst_MAC</fieldForValue>
    <search>
      <query>index=come_index dst_MAC != dst_MAC| stats count by dst_MAC</query>
      <earliest>0</earliest>
    </search>
  </input>
</panel>

Table:

<panel>
  <table>
    <search>
      <query>index=some_index| eval src_MAC= $srcmac$ | eval dst_MAC= $dstmac$ | table date_time src_MAC dst_MAC | sort -date_time</query>
      <earliest>0</earliest>
      <sampleRatio>1</sampleRatio>
    </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
  </table>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...