All Apps and Add-ons

Unable to match the 2 dropdownlist using XML and create a report for the following for PCI DSS

atulod1
New Member

Hi Team,

I created a customized dashboard for my PCI DSS for number 10 requirements.
I have a 2 Drop-down list ( one is for our Server Environment) (one for PCI Requirements 10)
1. On the first Drop-down list - here are the option that I created (ServerEnv1, ServerEnv2, ServerEnv3, ServerEnv4)
2. On the 2nd Drop downlist - (10.2.2, 10.2.3, 10.2.4 , 10.2.5a, 10.2.5b, 10.2.5c)
3. if I choose the on the first drop-down list "ServerEnv1" on the 2nd dropdown list will reflect "10.2.3, 10.2.4 and 10.2.5a) and if choose "ServerEnv2" on the 2nd drop-down list will be "10.2.2" only , then ServerEnv3, ServerEv4 all list on the 2nd drop-down list will be reflected. Hoping you can help me how to construct using XML Command. -- Thanks in Advance --ALLAN

0 Karma

atulod1
New Member

how can i add the lookup that i created per example version_servers_mapping.csv where do i assign this

0 Karma

TISKAR
Builder
0 Karma

TISKAR
Builder

Response with lookup,

in settings>lookups add lookup file

For example i create the csv file version_servers_mapping.csv with content

"servers","versions"
 "ServerEnv1","10.2.3,10.2.4,10.2.5a"
 "ServerEnv2","10.2.2"
 "ServerEnv3","10.2.3,10.2.4,10.2.5a,10.2.2"
 "ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2"

And, i used it in the dashboard like:

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokServer" searchWhenChanged="true">
      <label>Select Server</label>
      <fieldForLabel>servers</fieldForLabel>
      <fieldForValue>servers</fieldForValue>
      <search>
        <query>
          | inputlookup version_servers_mapping.csv | table servers
        </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>

    </input>
    <input type="dropdown" token="version" searchWhenChanged="true">
      <label>Select Version</label>
      <fieldForLabel>versions</fieldForLabel>
      <fieldForValue>versions</fieldForValue>
      <search>
        <query>| inputlookup version_servers_mapping.csv |search servers="$tokServer$"
               | makemv delim="," versions| mvexpand versions
        </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>

    </input>
  </fieldset>
</form>
0 Karma

atulod1
New Member

it doesnt work either

0 Karma

TISKAR
Builder

if you run | inputlookup version_servers_mapping.csv can you share the result of this query

0 Karma

atulod1
New Member

when I type this on the excel sheet this kind of format
"servers","versions"
"ServerEnv1","10.2.3,10.2.4,10.2.5a"
"ServerEnv2","10.2.2"
"ServerEnv3","10.2.3,10.2.4,10.2.5a,10.2.2"
"ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2"
and when I run the query on the search using |inputlookup version_servers_mapping.csv there was an error message.

0 Karma

TISKAR
Builder

if the file not exist you must find "Not result find" and not error.
are create a file .text and change it to csv for example
version_servers_mapping.txt --> version_servers_mapping.csv

0 Karma

atulod1
New Member

it doesn't work either both

0 Karma

TISKAR
Builder

@atulod1, can you try this please,

 <form>
      <label>test</label>
      <fieldset submitButton="false">
        <input type="dropdown" token="tokServer" searchWhenChanged="true">
          <label>Select Server</label>
          <fieldForLabel>servers</fieldForLabel>
          <fieldForValue>servers</fieldForValue>
          <search>
            <query/>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </search>
          <choice value="ServerEnv1">ServerEnv1</choice>
          <choice value="ServerEnv2">ServerEnv2</choice>
          <choice value="ServerEnv3">ServerEnv3</choice>
          <choice value="ServerEnv4">ServerEnv4</choice>
        </input>
        <input type="dropdown" token="version" searchWhenChanged="true">
          <label>Select Version</label>
          <fieldForLabel>field</fieldForLabel>
          <fieldForValue>field</fieldForValue>
          <search>
            <query>| makeresults| eval server="$tokServer$"
                   | eval field=case(server="ServerEnv1","10.2.3,10.2.4,10.2.5a",server="ServerEnv2","10.2.2",server="ServerEnv3" OR server="ServerEnv4","10.2.3,10.2.4,10.2.5a,10.2.2")
                   | makemv delim="," field| mvexpand field
            </query>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </search>

        </input>
      </fieldset>
    </form>
0 Karma

atulod1
New Member

This one is not populating the result.

0 Karma

atulod1
New Member

where should I declare my lookup here since I created the lookup

0 Karma

niketnilay
Legend

Based on the sample data provided you can try the following inputs. However, ideally you should create a lookup file for version_servers_mapping.csv to maintain this kind of mapping and populate the Dynamic Dropdown through inputlookup/lookup commands in Splunk

versions         servers
10.2.2           ServerEnv1,ServerEnv3,ServerEnv4
10.2.3           ServerEnv2,ServerEnv3,ServerEnv4
10.2.4           ServerEnv2,ServerEnv3,ServerEnv4
10.2.5a          ServerEnv2,ServerEnv3,ServerEnv4

Following is the run anywhere simple XML code for inputs.

  <fieldset submitButton="false">
    <input type="dropdown" token="tokServer" searchWhenChanged="true">
      <label>Select Server</label>
      <fieldForLabel>servers</fieldForLabel>
      <fieldForValue>servers</fieldForValue>
      <search>
        <query>| makeresults
| fields - _time
| eval servers="ServerEnv1,ServerEnv2,ServerEnv3,ServerEnv4"
| makemv servers delim=","
| mvexpand servers
| sort servers</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="tokVersion" searchWhenChanged="true">
      <label>Select Version</label>
      <fieldForLabel>versions</fieldForLabel>
      <fieldForValue>versions</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="versions=\"10.2.2\";server=\"ServerEnv1,ServerEnv3,ServerEnv4\""
| append [| makeresults
| eval _raw="versions=\"10.2.3\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| append [| makeresults
| eval _raw="versions=\"10.2.4\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| append [| makeresults
| eval _raw="versions=\"10.2.5a\";server=\"ServerEnv2,ServerEnv3,ServerEnv4\""]
| KV
| fields - _raw, _time
| makemv server delim=","
| mvexpand server
| search server="$tokServer$"</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!