Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamically filter table data

thicks1203
Explorer
‎04-18-2020 07:57 PM

I have a table with 6 columns of information that I am trying to filter dynamically:

date_time src_MAC dst_MAC src_IP dst_IP protocol

I have no problem setting the table up, but I would like user to filter the information dynamically across all the fields using dropdown or text box inputs. I have been able to filter on a single field using tokens, but when I try with multiple fields it breaks the table (each row consists of a single event, with multiple tokens it breaks the event) . Thank you for any help you can provide.

Example:
date_time src_MAC dst_MAC src_IP dst_IP protocol
2015-04-18 18:57:55.042547 ff:ff:ff:ff:ff:ff 78:24:af:43:0c:75 Actionte_25:fc:ff ASUSTekC_43:0c:75 ARP

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thicks1203
Explorer
‎04-19-2020 06:34 PM

Figured it out so I thought I would share.

The drop downs are first.

<row>    
    <panel>  
      <input type="dropdown" token="some_usr_tok" searchWhenChanged="true">
        <label>Filter by $userChoicetok$</label>
        <choice value="*">ALL</choice>
        <default>ALL</default>
        <search>
          <query>index=wired_index MAC!=MAC | stats count by MAC | sort MAC</query>
        </search>
        <fieldForLabel>MAC</fieldForLabel>
        <fieldForValue>MAC</fieldForValue>
      </input>  
      <input type="dropdown" token="another_usr_tok" searchWhenChanged="true">
        <label>Filter by $userNewchoice$</label>
        <choice value="*">ALL</choice>
        <default>ALL</default>
        <search>
          <query>index=wired_index IP!=IP | stats count by IP | sort IP</query>
        </search>
        <fieldForLabel>IP</fieldForLabel>
        <fieldForValue>IP</fieldForValue>
      </input>        
   </panel>
  </row>

I used five of these, but for brevity I only listed two.

Now the table.

<row>
    <panel id="scroll_2">
      <table depends="$showWired$">
        <search>
          <query>index=wired_index date_time!=date_time | search MAC=$some_usr_tok$  | search IP=$another_usr_tok$ 
         | stats list(MAC) as MAC by date_time IPd| table date_time MAC IP| sort -date_time</query>
          <earliest>0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">true</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>

This should let you filter down as specific as you like, there are probably more elegant ways, but it works. I would like to thank to4kawa for trying to help me work through this. どうもありがとうございました.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thicks1203
Explorer
‎04-19-2020 06:34 PM

Figured it out so I thought I would share.

The drop downs are first.

<row>    
    <panel>  
      <input type="dropdown" token="some_usr_tok" searchWhenChanged="true">
        <label>Filter by $userChoicetok$</label>
        <choice value="*">ALL</choice>
        <default>ALL</default>
        <search>
          <query>index=wired_index MAC!=MAC | stats count by MAC | sort MAC</query>
        </search>
        <fieldForLabel>MAC</fieldForLabel>
        <fieldForValue>MAC</fieldForValue>
      </input>  
      <input type="dropdown" token="another_usr_tok" searchWhenChanged="true">
        <label>Filter by $userNewchoice$</label>
        <choice value="*">ALL</choice>
        <default>ALL</default>
        <search>
          <query>index=wired_index IP!=IP | stats count by IP | sort IP</query>
        </search>
        <fieldForLabel>IP</fieldForLabel>
        <fieldForValue>IP</fieldForValue>
      </input>        
   </panel>
  </row>

I used five of these, but for brevity I only listed two.

Now the table.

<row>
    <panel id="scroll_2">
      <table depends="$showWired$">
        <search>
          <query>index=wired_index date_time!=date_time | search MAC=$some_usr_tok$  | search IP=$another_usr_tok$ 
         | stats list(MAC) as MAC by date_time IPd| table date_time MAC IP| sort -date_time</query>
          <earliest>0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">true</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>

This should let you filter down as specific as you like, there are probably more elegant ways, but it works. I would like to thank to4kawa for trying to help me work through this. どうもありがとうございました.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-19-2020 02:26 PM

first drop down:

 <search>
   <query>index=some_index src_MAC != src_MAC| stats count by src_MAC</query>
   <earliest>0</earliest>
 </search>

this query searches src_MAC that have not "src_MAC" text and aggregate.
so, second is same one.

main:

     <search>
       <query>index=some_index| eval src_MAC= $srcmac$ | eval dst_MAC= $dstmac$ | table date_time src_MAC dst_MAC | sort -date_time</query>

this query result:

date_time src_MAC dst_MAC
xx:xx:xx  ff:ff:ff:ff:ff:ff 78:24:af:43:0c:75

I don't know what you want.

Why is there following:

| table $table_select_token$

or

| table date_time src_MAC dst_MAC src_IP dst_IP protocol
| fields - $fields_except_token$

reference:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Table
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields

0 Karma
Reply
Solved! Jump to solution

thicks1203
Explorer
‎04-19-2020 03:08 PM

I dont know what table $table_select_token$ is, thats not in the code I provided. I broke the code up so it is a little bit easier to read. The two drop downs are looking for different things, one is the source, the other is the destination. I guess the easiest way to explain what I am looking to do is, I want a table that I can sort and filter like an excel spreadsheet that is populated by data points indexed by splunk.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-19-2020 03:45 PM

sorry, I don't know what you want.
sort: use sort
filter: what's this?
column? 

_time A B C → _time A C

row?

_time A B C
XX 1 2 3
YY 4 5 6
ZZ 7 8 9
→
_time A B C
XX 1 2 3
ZZ 7 8 9

fields value? 

_time A B C
XX 1 2 3
→
_time A B C
XX 1  3

the easiest way I guess not.
I guess I can't help you, sorry to waste your time.

0 Karma
Reply
Solved! Jump to solution

thicks1203
Explorer
‎04-19-2020 04:35 PM

You are not wasting my time, I appreciate you trying to help.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-18-2020 10:42 PM

table with 6 row? not column?

If you create dashboard, it's easy. make token and send to table as args

0 Karma
Reply
Solved! Jump to solution

thicks1203
Explorer
‎04-19-2020 05:24 AM

edited to changed rows to columns.

I can set the table with multiple tokens and it works, but as soon as I change a token using a drop down, it breaks. I need it to keep integrity across the rows, so it should only display the data if the answer= src_MAC AND dst_MAC, the date_time field would changed based on the filtered information.

First drop down:

<panel>
  <input type="dropdown" token="srcmac">
    <default>All</default>
    <choice value="src_MAC">All</choice>
    <fieldForLabel>src_MAC</fieldForLabel>
    <fieldForValue>src_MAC</fieldForValue>
    <search>
      <query>index=some_index src_MAC != src_MAC| stats count by src_MAC</query>
      <earliest>0</earliest>
    </search>
  </input>
</panel>

Second drop down:

  <input type="dropdown" token="dstmac">
    <default>All</default>
    <choice value="dst_MAC">All</choice>
    <fieldForLabel>dst_MAC</fieldForLabel>
    <fieldForValue>dst_MAC</fieldForValue>
    <search>
      <query>index=come_index dst_MAC != dst_MAC| stats count by dst_MAC</query>
      <earliest>0</earliest>
    </search>
  </input>
</panel>

Table:

<panel>
  <table>
    <search>
      <query>index=some_index| eval src_MAC= $srcmac$ | eval dst_MAC= $dstmac$ | table date_time src_MAC dst_MAC | sort -date_time</query>
      <earliest>0</earliest>
      <sampleRatio>1</sampleRatio>
    </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
  </table>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...