Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create Dynamic Drop-down

CoryC
Engager
‎03-11-2024 02:39 PM

I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID.

1.  How do I create a dynamic drop-down to show the EventIDs (EventCode) returned by the search?

2.  I see you can enter a whole new search, but technically that is different than the main search, right?  How do I base it on the main search?

3.  What are Label (fieldForLabel) and Value (fieldForValue) for?  Why are they required?

 

 

<form version="1.1" theme="light">
  <label>GP Errors</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-90m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="Computername">
      <label>Computer Name</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="EventID">
      <label>Event ID</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>EventID</fieldForLabel>
      <fieldForValue>EventID</fieldForValue>
      <search>
        <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error 
| stats values(EventCode)</query>
        <earliest>-90m@m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error host=$Computername$ EventCode=$EventID$
| table  host, EventCode, Message, _time
| rename host AS Host, EventCode AS EventID
| sort _time desc</query>
          <earliest>-90m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-11-2024 11:02 PM

To make a common search, use a base search that is then used by both other searches. The details will need to be common enough.

Your main table has a search window of 90m - do you expect a large number of events in this data set. This table does not really do any aggregations, so using this as a base search is not really good idea. You would need 3 searches, the base and one for the dropdown and the other for the data table.

See this (untested) and compare it to your dashboard - it fixes your dropdown issue, creates a base search used by the other two searches and they all use the same time picker values.

<form version="1.1" theme="light">
  <label>GP Errors</label>
  <search id="base">
    <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error 
| stats count by _time host EventCode Message
| rename host AS Host, EventCode AS EventID
    </query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-90m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="Computername">
      <label>Computer Name</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="EventID">
      <label>Event ID</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>EventID</fieldForLabel>
      <fieldForValue>EventID</fieldForValue>
      <search base="base">
        <query>
| stats count by EventID</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>
search Host=$Computername$ EventID=$EventID$
| table  Host, EventID, Message, _time count
| sort - _time</query>
        </search>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 Note that you also need to consider dependencies - should the list of eventids in the dropdown be ones that are found only for the entered computer? If not, then when you select an ID it may not exist.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-11-2024 11:02 PM

To make a common search, use a base search that is then used by both other searches. The details will need to be common enough.

Your main table has a search window of 90m - do you expect a large number of events in this data set. This table does not really do any aggregations, so using this as a base search is not really good idea. You would need 3 searches, the base and one for the dropdown and the other for the data table.

See this (untested) and compare it to your dashboard - it fixes your dropdown issue, creates a base search used by the other two searches and they all use the same time picker values.

<form version="1.1" theme="light">
  <label>GP Errors</label>
  <search id="base">
    <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error 
| stats count by _time host EventCode Message
| rename host AS Host, EventCode AS EventID
    </query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-90m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="Computername">
      <label>Computer Name</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="EventID">
      <label>Event ID</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>EventID</fieldForLabel>
      <fieldForValue>EventID</fieldForValue>
      <search base="base">
        <query>
| stats count by EventID</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>
search Host=$Computername$ EventID=$EventID$
| table  Host, EventID, Message, _time count
| sort - _time</query>
        </search>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 Note that you also need to consider dependencies - should the list of eventids in the dropdown be ones that are found only for the entered computer? If not, then when you select an ID it may not exist.

 

Reply
Solved! Jump to solution

CoryC
Engager
‎03-14-2024 11:44 AM

Thank you,  This worked for what I asked for.  Group Policy runs every 90-120 minutes so this should return most PCs with errors without duplicating them.  We have about 1000 computers and seem to have about 100 with errors, so this will return about 100 results for the 90 min.  90 min is all I really need to search, maybe 120, but I chose 90.  I can dig into the data more after getting these quick results.  I did realize I probably need all results, not just errors if I Enter a PC, but I can work on that.  I think if I enter a PC, I want all EventIDs, and if I enter an EventID, I want all PCs with that EventID.

 

Thank you again.  This is working as asked.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-11-2024 11:03 PM

See this for base search documentation

https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/Savedsearches

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2024 04:09 PM

The events returned by the search can have multiple fields,; the fieldsFor... elements defile which fields from the search are used for the label and which is used for the value.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...