Getting Data In

Multi-select input populate all users with a certain attribute.

michael_valenzu
New Member

I have a Dashboard for viewing activity from suspicious accounts. I currently use a multi-select input where I am running a report to find suspicious accounts. I want to by default view activity for all of the suspicious accounts. I can't use the * for the "all" selection because it would show the activity for every user, not the subgroup of "suspicious users". Is there a way to have the dashboard auto-populate with data for all users that show up on the report?

0 Karma

woodcock
Esteemed Legend

If you are doing it right, you can use *. You should have a "suspicious users" lookup file like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND [|inputlookup suspicous_users_lookup.csv | table user]
| search $multiselect_token$
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@michael_valenzuela

You can achieve this using javascript. Check below XML and code. Here you have to write additional search which provides the suspicious Accounts. Check id=suspiciousAccountsSearch in XML. Which will be used for setting up default value of multi select.

XML

<form script="status_dashboard.js">
  <search id="suspiciousAccountsSearch">
    <query>| makeresults count=5 | eval a=2 | accum a | eval user="user".a | table user</query>
    </search>
  <label>Default Multi Select</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="AccountsDropdown" id="AccountsDropdown">
      <label>field1</label>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| makeresults count=10 | eval a=1 | accum a | eval user="user".a</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> </delimiter>
    </input>
  </fieldset>
</form>

Javascript

var deps = [
     "splunkjs/ready!"
 ];
 require(deps, function(mvc) {

     var idSelectIndex = mvc.Components.get('AccountsDropdown');
     var allValues = [];

     var idSearchSelectIndex = mvc.Components.get("suspiciousAccountsSearch");
     var idSearchSelectIndex_results = idSearchSelectIndex.data("preview");
     idSearchSelectIndex_results.on("data", function() {

          $.each(idSearchSelectIndex_results.data().rows, function( index, value ) {
            console.log(index, value)
             allValues.push(value[0]);

         });
         idSelectIndex.settings.set("default",allValues);
         // idSelectIndex.render();
      });
 });

Thanks

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>