I have a table with 6 columns of information that I am trying to filter dynamically:
date_time src_MAC dst_MAC src_IP dst_IP protocol
I have no problem setting the table up, but I would like user to filter the information dynamically across all the fields using dropdown or text box inputs. I have been able to filter on a single field using tokens, but when I try with multiple fields it breaks the table (each row consists of a single event, with multiple tokens it breaks the event) . Thank you for any help you can provide.
Example:
date_time src_MAC dst_MAC src_IP dst_IP protocol
2015-04-18 18:57:55.042547 ff:ff:ff:ff:ff:ff 78:24:af:43:0c:75 Actionte_25:fc:ff ASUSTekC_43:0c:75 ARP
Figured it out so I thought I would share.
The drop downs are first.
<row>
<panel>
<input type="dropdown" token="some_usr_tok" searchWhenChanged="true">
<label>Filter by $userChoicetok$</label>
<choice value="*">ALL</choice>
<default>ALL</default>
<search>
<query>index=wired_index MAC!=MAC | stats count by MAC | sort MAC</query>
</search>
<fieldForLabel>MAC</fieldForLabel>
<fieldForValue>MAC</fieldForValue>
</input>
<input type="dropdown" token="another_usr_tok" searchWhenChanged="true">
<label>Filter by $userNewchoice$</label>
<choice value="*">ALL</choice>
<default>ALL</default>
<search>
<query>index=wired_index IP!=IP | stats count by IP | sort IP</query>
</search>
<fieldForLabel>IP</fieldForLabel>
<fieldForValue>IP</fieldForValue>
</input>
</panel>
</row>
I used five of these, but for brevity I only listed two.
Now the table.
<row>
<panel id="scroll_2">
<table depends="$showWired$">
<search>
<query>index=wired_index date_time!=date_time | search MAC=$some_usr_tok$ | search IP=$another_usr_tok$
| stats list(MAC) as MAC by date_time IPd| table date_time MAC IP| sort -date_time</query>
<earliest>0</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">true</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
This should let you filter down as specific as you like, there are probably more elegant ways, but it works. I would like to thank to4kawa for trying to help me work through this. どうもありがとうございました.
Figured it out so I thought I would share.
The drop downs are first.
<row>
<panel>
<input type="dropdown" token="some_usr_tok" searchWhenChanged="true">
<label>Filter by $userChoicetok$</label>
<choice value="*">ALL</choice>
<default>ALL</default>
<search>
<query>index=wired_index MAC!=MAC | stats count by MAC | sort MAC</query>
</search>
<fieldForLabel>MAC</fieldForLabel>
<fieldForValue>MAC</fieldForValue>
</input>
<input type="dropdown" token="another_usr_tok" searchWhenChanged="true">
<label>Filter by $userNewchoice$</label>
<choice value="*">ALL</choice>
<default>ALL</default>
<search>
<query>index=wired_index IP!=IP | stats count by IP | sort IP</query>
</search>
<fieldForLabel>IP</fieldForLabel>
<fieldForValue>IP</fieldForValue>
</input>
</panel>
</row>
I used five of these, but for brevity I only listed two.
Now the table.
<row>
<panel id="scroll_2">
<table depends="$showWired$">
<search>
<query>index=wired_index date_time!=date_time | search MAC=$some_usr_tok$ | search IP=$another_usr_tok$
| stats list(MAC) as MAC by date_time IPd| table date_time MAC IP| sort -date_time</query>
<earliest>0</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">true</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
This should let you filter down as specific as you like, there are probably more elegant ways, but it works. I would like to thank to4kawa for trying to help me work through this. どうもありがとうございました.
first drop down:
<search>
<query>index=some_index src_MAC != src_MAC| stats count by src_MAC</query>
<earliest>0</earliest>
</search>
this query searches src_MAC that have not "src_MAC" text and aggregate.
so, second is same one.
main:
<search>
<query>index=some_index| eval src_MAC= $srcmac$ | eval dst_MAC= $dstmac$ | table date_time src_MAC dst_MAC | sort -date_time</query>
this query result:
date_time src_MAC dst_MAC
xx:xx:xx ff:ff:ff:ff:ff:ff 78:24:af:43:0c:75
I don't know what you want.
Why is there following:
| table $table_select_token$
or
| table date_time src_MAC dst_MAC src_IP dst_IP protocol
| fields - $fields_except_token$
reference:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Table
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields
I dont know what table $table_select_token$ is, thats not in the code I provided. I broke the code up so it is a little bit easier to read. The two drop downs are looking for different things, one is the source, the other is the destination. I guess the easiest way to explain what I am looking to do is, I want a table that I can sort and filter like an excel spreadsheet that is populated by data points indexed by splunk.
sorry, I don't know what you want.
sort: use sort
filter: what's this?
column
?
_time A B C → _time A C
row
?
_time A B C
XX 1 2 3
YY 4 5 6
ZZ 7 8 9
→
_time A B C
XX 1 2 3
ZZ 7 8 9
fields value
?
_time A B C
XX 1 2 3
→
_time A B C
XX 1 3
the easiest way
I guess not.
I guess I can't help you, sorry to waste your time.
You are not wasting my time, I appreciate you trying to help.
table with 6 row? not column?
If you create dashboard, it's easy. make token and send to table
as args
edited to changed rows to columns.
I can set the table with multiple tokens and it works, but as soon as I change a token using a drop down, it breaks. I need it to keep integrity across the rows, so it should only display the data if the answer= src_MAC AND dst_MAC, the date_time field would changed based on the filtered information.
First drop down:
<panel>
<input type="dropdown" token="srcmac">
<default>All</default>
<choice value="src_MAC">All</choice>
<fieldForLabel>src_MAC</fieldForLabel>
<fieldForValue>src_MAC</fieldForValue>
<search>
<query>index=some_index src_MAC != src_MAC| stats count by src_MAC</query>
<earliest>0</earliest>
</search>
</input>
</panel>
Second drop down:
<input type="dropdown" token="dstmac">
<default>All</default>
<choice value="dst_MAC">All</choice>
<fieldForLabel>dst_MAC</fieldForLabel>
<fieldForValue>dst_MAC</fieldForValue>
<search>
<query>index=come_index dst_MAC != dst_MAC| stats count by dst_MAC</query>
<earliest>0</earliest>
</search>
</input>
</panel>
Table:
<panel>
<table>
<search>
<query>index=some_index| eval src_MAC= $srcmac$ | eval dst_MAC= $dstmac$ | table date_time src_MAC dst_MAC | sort -date_time</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>