Hi @ekmek4 To achieve this type of filtering logic in your dashboard, you need to adjust the search query to handle the different combinations of inputs correctly. The main issue is ensuring that ...
See more...
Hi @ekmek4 To achieve this type of filtering logic in your dashboard, you need to adjust the search query to handle the different combinations of inputs correctly. The main issue is ensuring that the query logic reflects the conditions you described. Here's how you can modify your query to achieve this: Check if procname or procname2 is set: If either is set, filter by those. Check if User is set: If User is set and no process names are set, filter by User. Combine both conditions: If both process names and User are set, filter by both. Here's a revised version of your dashboard code with the updated query logic: <form version="1.1" theme="light">
<label>Find Network connections(DNS)</label>
<fieldset submitButton="false">
<input type="text" token="procname2">
<label>Enter procname: eg. opera.exe</label>
<default></default>
</input>
<input type="dropdown" token="procname" searchWhenChanged="true">
<label>Procname</label>
<fieldForLabel>process_name</fieldForLabel>
<fieldForValue>process_name</fieldForValue>
<search>
<query>index=sysmon_wec AND (EventCode=22 OR event_id=22) | dedup process_name | head 1000 | table process_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="user" searchWhenChanged="true">
<label>User</label>
<fieldForLabel>User</fieldForLabel>
<fieldForValue>User</fieldForValue>
<search>
<query>index=sysmon_wec AND (EventCode=22 OR event_id=22) | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") | dedup User | head 1000 | table User</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<title>process_name</title>
<search>
<query>
index=sysmon_wec AND (EventCode=22 OR event_id=22)
| eval proc_filter=if(len("$procname$") > 0 OR len("$procname2$") > 0, 1, 0)
| eval user_filter=if(len("$user$") > 0, 1, 0)
| where (proc_filter=1 AND process_name IN ("$procname$", "$procname2$")) OR (user_filter=1 AND User="$user$")
| makemv tokenizer="([^\r\n]+)(\r\n)?" User
| mvexpand User
| where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE")
| dedup process_name
| head 100
| table process_name, User, ComputerName, QueryName, QueryResults
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form> Key Changes: proc_filter and user_filter: These are temporary fields used to determine if the process name or user filters should be applied. where clause: The logic now checks if either the process name or user filter should be applied, and applies them accordingly. Token Names: Ensure that the token names in your query match those defined in your inputs ($procname$, $procname2$, and $user$). This setup should allow you to filter based on the conditions you described. If both process names and user are selected, it will filter by both. If only one is selected, it will filter by that one. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will