I want to be able to pass multiple values to a field in a dashboard "Endpoint" . Like in the Endpoint Input I want to be able to pass "hostname1 , hostname2 , hostname3" . I dont want to be creating a drilldown. It should be a plain text input with either a "," delimiter or space. Following is my XML code.
<label>Endpoint</label>
<prefix>"</prefix>
<suffix>*"</suffix>
</input>
<panel>
<title>Endpoint Logging Status</title>
<table>
<search>
<query>""index=xyz sourcetype=xyz orig_index=$idx_name$ orig_sourcetype=$st_name$ orig_sourcetype!=stash orig_index!=scratch_01 orig_index!=hpam orig_index!=bsm orig_index!=avs orig_index!=itim orig_index!=ists orig_index!=clm_reports
orig_index!=complianceverification orig_host!=xyz orig_host=$splunk_host$ |[search index=xyz sourcetype=xyz orig_index=$idx_name$ orig_sourcetype=$st_name$ orig_sourcetype!=stash orig_index!=scratch_01 orig_index!=hpam orig_index!=bsm orig_index!=avs orig_index!=itim orig_index!=ists orig_index!=clm_reports
orig_index!=complianceverification orig_host!=xyz orig_host=$splunk_host$ |eval orig_host="$splunk_host$" | makemv orig_host delim="," | mvexpand orig_host | rex field=orig_host mode=sed "s/^\s+//g s/\s+$//g"] | rename orig_host AS host |stats max(lastTime) as lastTime by orig_index host orig_sourcetype | lookup xyz_asset_ownership_wildcard src_host AS host OUTPUTNEW organization_unit | lookup xyz_asset_ownership_wildcard src_ip AS host OUTPUTNEW organization_unit | eval organization_unit=coalesce(organization_unit, "UNKNOWN") | search organization_unit=$coe$ | eval age = now() - lastTime | eval status=case(age < 14400,"Active",age < 86400,"INACTIVE (4-24hrs)",age < 259200,"INACTIVE (1-3days)",age < 604800,"INACTIVE (3-7days)",age < 2592000,"INACTIVE (7-30days)",age >= 2592000,"INACTIVE > 30days") | convert ctime(lastTime) | stats list(lastTime) AS data_last_seen, list(orig_index) AS index, list(orig_sourcetype) AS sourcetype, values(organization_unit) AS "COE", list(status) AS status by host""
$time.earliest$
$time.latest$
... View more