Splunk Search

Create Dynamic Drop-down

CoryC
Engager

I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID.

1.  How do I create a dynamic drop-down to show the EventIDs (EventCode) returned by the search?

2.  I see you can enter a whole new search, but technically that is different than the main search, right?  How do I base it on the main search?

3.  What are Label (fieldForLabel) and Value (fieldForValue) for?  Why are they required?

 

 

<form version="1.1" theme="light">
  <label>GP Errors</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-90m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="Computername">
      <label>Computer Name</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="EventID">
      <label>Event ID</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>EventID</fieldForLabel>
      <fieldForValue>EventID</fieldForValue>
      <search>
        <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error 
| stats values(EventCode)</query>
        <earliest>-90m@m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error host=$Computername$ EventCode=$EventID$
| table  host, EventCode, Message, _time
| rename host AS Host, EventCode AS EventID
| sort _time desc</query>
          <earliest>-90m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

 

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

To make a common search, use a base search that is then used by both other searches. The details will need to be common enough.

Your main table has a search window of 90m - do you expect a large number of events in this data set. This table does not really do any aggregations, so using this as a base search is not really good idea. You would need 3 searches, the base and one for the dropdown and the other for the data table.

See this (untested) and compare it to your dashboard - it fixes your dropdown issue, creates a base search used by the other two searches and they all use the same time picker values.

<form version="1.1" theme="light">
  <label>GP Errors</label>
  <search id="base">
    <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error 
| stats count by _time host EventCode Message
| rename host AS Host, EventCode AS EventID
    </query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-90m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="Computername">
      <label>Computer Name</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="EventID">
      <label>Event ID</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>EventID</fieldForLabel>
      <fieldForValue>EventID</fieldForValue>
      <search base="base">
        <query>
| stats count by EventID</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>
search Host=$Computername$ EventID=$EventID$
| table  Host, EventID, Message, _time count
| sort - _time</query>
        </search>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 Note that you also need to consider dependencies - should the list of eventids in the dropdown be ones that are found only for the entered computer? If not, then when you select an ID it may not exist.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

To make a common search, use a base search that is then used by both other searches. The details will need to be common enough.

Your main table has a search window of 90m - do you expect a large number of events in this data set. This table does not really do any aggregations, so using this as a base search is not really good idea. You would need 3 searches, the base and one for the dropdown and the other for the data table.

See this (untested) and compare it to your dashboard - it fixes your dropdown issue, creates a base search used by the other two searches and they all use the same time picker values.

<form version="1.1" theme="light">
  <label>GP Errors</label>
  <search id="base">
    <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error 
| stats count by _time host EventCode Message
| rename host AS Host, EventCode AS EventID
    </query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-90m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="Computername">
      <label>Computer Name</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="EventID">
      <label>Event ID</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>EventID</fieldForLabel>
      <fieldForValue>EventID</fieldForValue>
      <search base="base">
        <query>
| stats count by EventID</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>
search Host=$Computername$ EventID=$EventID$
| table  Host, EventID, Message, _time count
| sort - _time</query>
        </search>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 Note that you also need to consider dependencies - should the list of eventids in the dropdown be ones that are found only for the entered computer? If not, then when you select an ID it may not exist.

 

CoryC
Engager

Thank you,  This worked for what I asked for.  Group Policy runs every 90-120 minutes so this should return most PCs with errors without duplicating them.  We have about 1000 computers and seem to have about 100 with errors, so this will return about 100 results for the 90 min.  90 min is all I really need to search, maybe 120, but I chose 90.  I can dig into the data more after getting these quick results.  I did realize I probably need all results, not just errors if I Enter a PC, but I can work on that.  I think if I enter a PC, I want all EventIDs, and if I enter an EventID, I want all PCs with that EventID.

 

Thank you again.  This is working as asked.

0 Karma

bowesmana
SplunkTrust
SplunkTrust
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The events returned by the search can have multiple fields,; the fieldsFor... elements defile which fields from the search are used for the label and which is used for the value.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...