All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @inventsekar, 1) As I recall, I only generated the lookup CSV file for testing in Tamil. An all-language lookup might be size prohibitive. The best SPL-based workaround to count all graphemes see... See more...
Hi @inventsekar, 1) As I recall, I only generated the lookup CSV file for testing in Tamil. An all-language lookup might be size prohibitive. The best SPL-based workaround to count all graphemes seems to be an eval expression using the \X regular expression token to match Unicode sequences. The simplest expression was: | eval count=len(replace(field, "\\X", "x")) 2) The external lookup allowed programmatic access to Python modules or any other library/program if called from an arbitrary script. The example returned a Unicode character category, but the subsequent counting solution wasn't comprehensive. In Bash, calculating the number of characters may be as simple as: echo ${#field} => 58 but this suffers the same problem as our earlier efforts by not taking into account marks and code sequences used to generate graphemes. Is Perl better? perl -CS -lnE 'say length' <<<${field} => 58 As before, the length is incorrect. I'm not a Perl expert, but see https://perldoc.perl.org/perlunicode: The only time that Perl considers a sequence of individual code points as a single logical character is in the \X construct .... That leads us to: perl -CS -lnE 's/\X/x/g; say length' <<<${field} => 37 There may be a better native Perl, Python, etc. solution, but calling an external program is more expensive than the equivalent SPL. 3) If you only need to count graphemes, I would use the eval command. What other use cases did you have in mind?
I don't quite follow your logic, but your solution will probably require mv eval functions and/or foreach. e.g. you can find the Category index into your LookupCategory something like this | eval c... See more...
I don't quite follow your logic, but your solution will probably require mv eval functions and/or foreach. e.g. you can find the Category index into your LookupCategory something like this | eval c=0 | foreach mode=multivalue LookupCategory [ eval mv_match=case(Category=<<ITEM>>, c, Category><<ITEM>>, -c, true(), mv_match), c=c+1 ] i.e a positive result of mv_match means the MV index of an exact match (offsets from 0). A negative mv_match result indicates the last LookupCategory that Category was > than and an empty result means Category was never greater than any LookupCategory. Then with that knowledge you can mvindex() the other MV values based on your needs, e.g. abs(mv_match)  
Look at your condition match statements, e.g. your first one does <condition match="$row.Services$ != &quot;s3-bucket&quot;"> and then it sets S3_details="true" same for VPC and the other. So you ... See more...
Look at your condition match statements, e.g. your first one does <condition match="$row.Services$ != &quot;s3-bucket&quot;"> and then it sets S3_details="true" same for VPC and the other. So you probably want to change your matches to = rather than !=
I've set up a dev 9.2 Splunk environment. And I'm trying to use a self-signed cert to secure forwarding. But every time I attempt to connect the UF to the Indexing server it fails -_- I've tried ... See more...
I've set up a dev 9.2 Splunk environment. And I'm trying to use a self-signed cert to secure forwarding. But every time I attempt to connect the UF to the Indexing server it fails -_- I've tried a lot of permutations of the below. All ultimately ending with the forwarder unable to connect to the indexing server. I've made sure permissions are set to 6000 for cert and key. Made sure the Forwarder and Indexer have seperate common names. And created multiple cert types. But I'm at a bit of a loss as to what I need to do to get the forwarder and indexer to connect over a self signed certificate. Any help is incredibly appreciated. Below is some of what I've attempted. Trying to not make this post multiple pages long X) Simple TLS Configuration Generating Indexer Certs: openssl genrsa -out indexer.key 2048 openssl req -new -x509 -key indexer.key -out indexer.pem -days 1095 -sha256 cat indexer.pem indexer.key > indexer_combined.pem Note: I keep reading that the cert and key need to be 1 file. But I"m not sure on this. Generating Forwarder Certs: openssl genrsa -out forwarder.key 2048 openssl req -new -x509 -key forwarder.key -out forwarder.pem -days 1095 -sha256 cat forwarder.pem forwarder.key > forwarder_combined.pem Indexer Configuration: [SSL] serverCert = /opt/tls/indexer_combined.pem sslPassword = random_string requireClientCert = false [splunktcp-ssl:9997] compressed = true Outcome: Indexer listens on port 9997 for encrypted communications. Forwarder Configuration [tcpout] defaultGroup = splunkssl [tcpout:splunkssl] server = 192.168.110.178:9997 compressed = true [tcpout-server://192.168.110.178:9997] sslCertPath =/opt/tls/forwarder_combined.pem sslPassword = random_string sslVerifyServerCert = false Outcome: Forwarder fails to communicate with Indexer Logs from Forwarder: ERROR TcpInputProc [27440 FwdDataReceiverThread] - Error encountered for connection from src=192.168.110.26:33522. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Testing with openssl s_client: Command: openssl s_client -connect 192.168.110.178:9997 -cert forwarder_combined.pem -key forwarder.key Output: Unknown CA ( I didn't write the exact message in my notes, but it generally says the CA is unknown.) Note: Not sure if I need to add sslVersions = tls1.2, but that seems outside of the scope of the issue. Troubleshooting connect, running openssl s_client raw: Command: openssl s_client -connect 192.168.110.178:9997 Output received: CONNECTED(00000003) Can't use SSL_get_servername Full s_client message is here: https://pastebin.com/z9gt7bhz Further Troubleshooting Added Indexers self-signed certificate to forwarder ... sslPassword = random_string sslVerifyServerCert = true sslRootCAPath = /opt/tls/indexer_combined.pem Outcome: same error message. Testing with s_client: Command: openssl s_client -connect 192.168.110.178:9997 -CAfile indexer_combined.pem Connecting to 192.168.110.178 CONNECTED(00000003) Can't use SSL_get_servername Full s_client message is here: https://pastebin.com/BcDvJ2Fs
You can generally get there with SPL, e.g. here's a bit of a hack, which has a stab at it based on your data example | makeresults format=csv data="title,totalEventCount,frozenTimePeriodInSecs,count... See more...
You can generally get there with SPL, e.g. here's a bit of a hack, which has a stab at it based on your data example | makeresults format=csv data="title,totalEventCount,frozenTimePeriodInSecs,count,usedData _audit,771404957,188697600, , _configtracker,717,2592000, , _dsappevent,240,5184000, , _dsclient,232,5184000, , _dsphonehome,843820,604800, , _internal,7039169453,15552000, , _introspection,39100728,1209600, , _telemetry,55990,63072000, , _thefishbucket,0,2419200, , , , ,22309,_* , , ,1039,_audit , , ,2,_configtracker , , ,1340,_dsappevent , , ,1017,_dsclient , , ,1,_dsclient] , , ,709,_dsphonehome , , ,2089,_internal , , ,117,_introspection , , ,2,_metrics , , ,2,_metrics_rollup , , ,2,_telemetry , , ,2,_thefishbucket" | eval title=coalesce(title, usedData) | fields - usedData | stats values(*) as * by title | eventstats values(eval(if(match(title, "\*"), title."##".title."##".count, null()))) as wildcard_indexes | eval wildcard_indexes=mvmap(wildcard_indexes, replace(wildcard_indexes, "\*(.*##)?", ".*\1")) | eval count=count+sum(mvmap(wildcard_indexes, if(match(title, mvindex(split(wildcard_indexes, "##"), 0)) AND title!=mvindex(split(wildcard_indexes, "##"), 1), mvindex(split(wildcard_indexes, "##"), 2), 0))) | fields - wildcard_indexes
Free license didn’t contains cluster or distributed capabilities. So you cannot use free for this. Basically you maybe could convert multi site environment back to single instance environment before y... See more...
Free license didn’t contains cluster or distributed capabilities. So you cannot use free for this. Basically you maybe could convert multi site environment back to single instance environment before your license goes to old?
And quite probably those copies have moved into froze totally different time, based on situation on individual indexer. Moving it is always initiated by indexer not master.
Hi @johnansett  We had something similar after moving our on-prem Splunk to Splunk Cloud.  Our on prem indexed data needed to be searchable as it aged out. As a Splunk customer you should be ab... See more...
Hi @johnansett  We had something similar after moving our on-prem Splunk to Splunk Cloud.  Our on prem indexed data needed to be searchable as it aged out. As a Splunk customer you should be able to request a zero-ingest license from Splunk Support. This is better than a free or trail license as it gives all the benefit of a standard license (except no data ingestion) and does not need renewing every 6 weeks like a trail license does.  If you have a Splunk account manager then this is something you could discuss with them.  Hope that helps. 
provided you the query
Hey folks, been a while - I have a question I figured community would be better to answer:   We have a multisite cluster using SmartStore built in AWS.  We are not going to new Splunk but need to b... See more...
Hey folks, been a while - I have a question I figured community would be better to answer:   We have a multisite cluster using SmartStore built in AWS.  We are not going to new Splunk but need to be able to access the data for the next 7 years and thus want to age it out, but it may need to be searched from time-to-time.   I understand we can convert to a Free license. However, does the architecture impact that (namely, that there is cluster replication)? Or is it possible to have a single standalone instance with Splunk Free to search as needed?
I think , i got it now, thanks @bowesmana 
@phanTom  could you also check the openssl version for the 9.3.0 UF?
Close, but there is no "unless" - Splunk will not keep track of your frozen buckets whatever you do. The last moment Splunk cares about your data is when it moves it to frozen. After that you're comp... See more...
Close, but there is no "unless" - Splunk will not keep track of your frozen buckets whatever you do. The last moment Splunk cares about your data is when it moves it to frozen. After that you're completely on your own. That's also why if you want to get that data back into Splunk you have to move the frozen buckets into the thawed directory and manually rebuild them. So yes, you need to have some way to manually rotate frozen data. Your script is one of possible ways of handling that. Just be aware that 365 days from the move to frozen might happen not when you want, especially if you have some compliance-based requirements for data retention. It's probably better (but more troublesome) to base your retention script on timestamps from the bucket directory name. And last but not least - if you have a cluster, each node manages its own buckets so you might end up with several copies of the same bucket.
Right now, on a SOAR events/cases/playbooks menu page, a user can select a page size of 5, 10, 15, 25 or 50 which is the number of events, cases or playbooks to be displayed in a browser page. Is the... See more...
Right now, on a SOAR events/cases/playbooks menu page, a user can select a page size of 5, 10, 15, 25 or 50 which is the number of events, cases or playbooks to be displayed in a browser page. Is there a way to change that setting, for example, can SOAR display 100 events in one page? Thank you.
When I attempted to configure the input to use the service principal, I started to get the following error message:   <?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Cod... See more...
When I attempted to configure the input to use the service principal, I started to get the following error message:   <?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Code><Message>Public access is not permitted on this storage account. RequestId:3d827a38-b01e-003e-7d90-46bd5c000000 Time:2024-12-04T21:05:06.5396465Z</Message></Error> Are there other items that I must reconfigure to get the service principal configured?  
Hello, Than your for your answer but it doesn't work. panel 1 : <row> <panel> <title>AWS Services Monitoring</title> <table> <search> <!--done> <set token="Services">$click.name$</set> </done--... See more...
Hello, Than your for your answer but it doesn't work. panel 1 : <row> <panel> <title>AWS Services Monitoring</title> <table> <search> <!--done> <set token="Services">$click.name$</set> </done--> <query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*" | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") |search Services!=Other | lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name | table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime | dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check" |fillnull value="N/A" |search $ResourceName$ $Services$ $Status$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="count">100</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">true</option> <format type="color" field="Status"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <drilldown> <condition match="$row.Services$ != &quot;s3-bucket&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;S3_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> <condition match="$row.Services$ != &quot;vpc&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;VPC_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> <condition match="$row.Services$ != &quot;ec2&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;EC2_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> </drilldown> </table> </panel> </row> panel 2: <row> <panel depends="$S3_details$"> <title>S3 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$VPC_details$"> <title>VPC DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$EC2_details$"> <title>EC2 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$SERVICES_details$"> <title>SERVICES DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> </row> But it does'nt work, when I select the vpc filter, I arrive at the S3_details view, instead of arriving at VPC_details when I select the s3-bucket filter, I go to VPC_details instead of S3_details when I select the ec2 filter, I end up on S3_details instead of EC2_details 
Answering my own question here - it needs to have dates to display results. In the end, I wrote the results to a summary index in a scheduled search using | collect index=test_summary addtime=true. 
Thank you @bowesmana  Its working perfectly  after adding the <done> section shared by you in the response.
Thanks for the response @gcusello   I will try the HTML button and an external JS approach shared in the link.
In my experience XML dashboards wont let you do scrolling for a single viz.  I just played around with Dashboard Studio and I can force a space between the lines but it just squeezes the lines.  Ther... See more...
In my experience XML dashboards wont let you do scrolling for a single viz.  I just played around with Dashboard Studio and I can force a space between the lines but it just squeezes the lines.  There is no scrolling on the viz no matter the size of the panel.  I don't believe the behavior you want is possible.