Splunk Search

Is it possible to Search within a table on a dashboard?

New Member

I have created a dashboard panel which displays events from a firewall log.  Importantly, this panel is intended to show a request within the context of other requests around it.  Filtering isn't desirable, as that removes the request from the context.

the dashboard uses the search: 




[ search index=firewall
dest_ip=$dest$ |
eval earliest = min(_time)-60 |
eval latest = max(_time)+60
| table  earliest, latest ]
index=firewall dest_zone=external src_ip=$src$
| sort _time asc
 | table  _time src_ip dest_ip InitiatorPackets InitiatorBytes ResponderPackets ResponderBytes URL SSLServerName URLReputation  URLCategory sourcetype




This search can result in many rows and the panel paginates them as expected.  However, because the panel is displaying results from both before and after the event in question, that event is likely to end up somewhere in the middle of the results and on a page after the first.  Is it possible to search within these results and have the panel automatically jump to the page where the expected result is displayed?  E.g. if the request with the matching $src$ and $dest ip addresses is on page 3, then after the panel loads the data, it auto-navigates to page 3? 

As a secondary question, is it possible to add a search box to the panel which would allow searching within the table and jumping the panel to the page with the expected result?  E.g. I have some sort of text box above just that panel.  If I type 'foobar.com' in the textbox, the panel jumps to the first page where 'foobar.com' is seen in the SSLServerName column?

Labels (1)
Tags (2)
0 Karma


You can using post processing. 🙂
Depending on the the number of results, since there is limitation of 500.000 results, you can use your current search as a base search of you dashboard and then  your post processing search could be `| search $your_filter$`. By doing this you can search the table results without rerunning the entire search.

Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...