Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display details in a single row for a dashboard for an access control system dropdown menu using an inputlookup?

ngwodo
Path Finder
‎03-07-2023 12:53 PM

Please use below screenshot to determine what Splunk query that is needed to display the access control under the panel: "Year Selection and Rating Results" For example, when you click on "AC-7" that is yellow color, you should see in column fields the following which is: System, FISMA-ID, FIPS199-Categorization, FIPS199-Rating, Control Library, YearOA(if the system is high, medium or low) and Compliance status(if the system compliance is high, medium or low)

 

 

ngwodo_0-1678221679329.png

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-07-2023 11:10 PM

Hi @ngwodo,

sorry but I don't understand what's your request: do you want to split details in more panels or what else?

Then, could you share your code instead of a screenshot? it's easier to help you.

Anyway, if you want to split the details panel in more panels, you could use a base search to populate all panels and put only a subset of fields in each panel.

Ciao.

Giuseppe

0 Karma
Reply

ngwodo
Path Finder
‎03-08-2023 01:26 AM

Thanks for your response. Here is my XML source code for the Dashboard below. I just want to show the details of one line of code when the access control e.g. "AC-1" depending on when the System name compliance status for each year or multiple years is either "high" or "medium" or "low"

The source code is:

<form version="1.1">
<label>RTM_Automation_030623_Global_David</label>
<fieldset submitButton="false">
<input type="dropdown" token="system_tk" searchWhenChanged="true">
<label>System Selection</label>
<fieldForLabel>System</fieldForLabel>
<fieldForValue>System</fieldForValue>
<search>
<query>|inputlookup controls_rtm.csv
|stats c by "System"
|table "System"
</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>
<input type="dropdown" token="cl_tk" searchWhenChanged="true">
<label>Control Library Selection</label>
<fieldForLabel>Control_Library</fieldForLabel>
<fieldForValue>Control_Library</fieldForValue>
<search>
<query>|inputlookup controls_rtm.csv
|search "System"="$system_tk$"
|stats c by "Control Library"
|table "Control Library"
|rename "Control Library" as Control_Library</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>
<input type="multiselect" token="year_tk" searchWhenChanged="true">
<label>Year OAM Selection</label>
<choice value="Year 1 OAM">Year 1</choice>
<choice value="Year 2 OAM">Year 2</choice>
<choice value="Year 3 OAM">Year 3</choice>
<delimiter>|</delimiter>
</input>
</fieldset>
<row>
<panel>
<html depends="$alwayshideCSSPanel$">
<style>
#tableColor table tbody td div.multivalue-subcell[data-mv-index="1"]{
display:none;
}
</style>
</html>
<table id="tableColor">
<title>Year Selection and Rating Results</title>
<search>
<query>|inputlookup controls_rtm.csv |search "System"="$system_tk$" "Control Library"="$cl_tk$"
|table [|inputlookup controls_rtm.csv |search "System"="$system_tk$" "Control Library"="$cl_tk$"
|fields - "System", "Control Library"
|eval yearoam="$year_tk$"
|makemv yearoam delim="|"
|mvexpand yearoam
|eval "FIPS199-Rating"=case('FIPS199-Rating'="H","High",'FIPS199-Rating'="M","Mod",'FIPS199-Rating'="L","Low")
|eval yearoam=yearoam." ".'FIPS199-Rating'
|table yearoam
|eval yearoam="\"".yearoam."\""
|stats values(yearoam) as yearoam delim=","
|nomv yearoam |rename yearoam as search], "Compliance Status"
|eval color =case('Compliance Status'&gt;=0 AND 'Compliance Status'&lt;25,"LOW",'Compliance Status'&gt;=25 AND 'Compliance Status'&lt;100,"MEDIUM",'Compliance Status'=100,"HIGH")
|foreach * [eval &lt;&lt;FIELD&gt;&gt;=mvappend('&lt;&lt;FIELD&gt;&gt;',color)]
|fields - color,"Compliance Status"</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color">
<colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"MEDIUM"), "#F8BE34",match(value,"HIGH"),"#53A051")</colorPalette>
</format>
<drilldown>
<set token="field_name">$click.name2$</set>
<set token="field_value">$click.value2$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$field_name$,$field_value$">
<table>
<title>RTM Data Table</title>
<search>
<query>|inputlookup controls_rtm.csv |table Column* *</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<link target="_blank">/app/CIS_OA/rtm_automation_030623_global_david?form.year_tk=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>RTM Test Methods</title>
<search>
<query>| inputlookup AssetD.csv | table *</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<link target="_blank">/app/CIS_OA/rtm_automation_030623_global_david?form.year_tk=$click.value2$</link>
</drilldown>
</table>
</panel>
</row>
</form>

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...