Splunk Search

Why is checkbox not working?

POR160893
Builder

Hi,

I have created a dashboard to filter firewall statuses. One of the inputs I need is a checkbox to eliminate duplicates based on host, source IP, destination IP and destination port. 

However, the checkbox input is not working and every time the use checks and unchecks the box, it has no effect on the dashboard.

The following is my dashboard and the XML code, respectively:

Checkbox Not Working UI.PNGCheckbox Not Working.PNG

Can you please help?

Thank you!

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share the part of the dashboard code that uses the $checkboxDedup$ token.

---
If this reply helps you, Karma would be appreciated.
0 Karma

POR160893
Builder

At the moment, this token is not been used.

I don't know how to incorporate it into one of my queries so that duplicates over 4 fields are detected.


As you can see from the below code, I am already using the tokens from the other inputs in the base searches:

3 base queries.PNG

However, for this checkbox, since I need to detect duplicates across source IP, dest IP, dest Port AND sourcetype, and I am already using a sourcetype token in my dropdown, I don't know how to make use make use of the 1 token in the checkbox when it would make sense to have 4 tokens ....... can you please help

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think you only need one token, not 4 for dedup.  Just add the token between the table and first lookup commands.

| table ...
$checkboxDedup$
| lookup ...

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

POR160893
Builder

When I added the dedup in between the table and lookup, the UI is now looking for some argument:

Dedup Not Working - UI.PNGDedup Not Working - Code.PNG


Can you  please help?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since the token already contains a dedup command, saying | dedup $checkboxDedup$ is equivalent to saying | dedup | dedup $sourcetype_tok$, $dest$, $src$, $port$.

Try the answer provided or change the token to not contain "| dedup

---
If this reply helps you, Karma would be appreciated.

POR160893
Builder

Hey, The submit button with the Dedup condition does work now .... but only on fields with the same name across both indexes. Here is the source query with the Dedup token been used:Dedup Not Working - Code1.PNG

However, I need to also have it check for dedup for src_ip and dest_ip. My issue is on the 2nd index, these two fields are called src and dest, respectively.

Dedup Not Working - Code2.PNG

I tried using both names with an OR in the dedup but that did not work. Can you please help?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The dedup command does not accept expressions - only field names.  You'll probably need to normalize the field names using rename or coalesce (or other method) for dedup to work as expected.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Marco_Develops
Path Finder

Have you considered using the submit button? In order to use the submit button you have to change  "search on change" off on all your other inputs.

-Marco

0 Karma

POR160893
Builder

The submit button with the Dedup condition does work now .... but only on fields with the same name across both indexes. Here is the source query with the Dedup token been used:Dedup Not Working - Code1.PNG

However, I need to also have it check for dedup for src_ip and dest_ip. My issue is on the 2nd index, these two fields are called src and dest, respectively.

Dedup Not Working - Code2.PNG

I tried using both names with an OR in the dedup but that did not work. Can you please help?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...