All Apps and Add-ons

How to add TextField value in GoogleMap Search Dashboard?

nazmy
Engager

Is anyone can advise on how to add a value of TextField into a googleMap search?

I have a GoogleMap module in a dashboard as below:

<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">                   
                                <param name="search"> index=cons-network-sec sourcetype=cons-syslog-fw  src_honesty="bad" | dedup src| rename src AS clientip | table clientip | geoip clientip | lookup threatscore clientip</param>
                                 <module name="GoogleMaps">  
                                         <param name="height">500px</param>  
                                         <param name="mapType">terrain</param> 
                                        <param name="center">39.810646,-98.556976</param>
                                        <param name="scrollwheel">off</param>  
                                    </module>
</module>

The data can be displayed correctly in the google map. Now, I need to add a TextField to filter the googleMap data based on the value of the text field. Below is the modified code after adding the TextField (*Please ignore the number of tag as it's a portion of the code and I copied portion of the code only):

<module name="TextField">
    <param name="name">service</param>
    <param name="float">left</param>
    <param name="template">$value$</param>
    <param name="label">service name:</param>
    <module name="Search">
        <param name="search">|stats count AS src | eval src="$src$" | eval src=replace(src, " ", "") | eval src=replace(src,",", " OR src=") | eval src=if(src=="","*","(src=".src.")") | rename src AS src_ip</param>
        <module name="ResultsValueSetter">
            <param name="fields">src_ip</param>

            <module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">                   
                <param name="search"> index=cons-network-sec sourcetype=cons-syslog-fw $src_ip$ src_honesty="bad"  | dedup src| rename src AS clientip | table clientip | geoip clientip | lookup threatscore clientip</param>
                <module name="GoogleMaps">  
                    <param name="height">500px</param>  
                    <param name="mapType">terrain</param> 
                    <param name="center">39.810646,-98.556976</param>
                    <param name="scrollwheel">off</param>  
                </module>
            </module>
        </module>
    </module>
</module>

After adding the $src_ip$ in the googleMap search, it causes the data can't be displayed in the google map. The field is working fine if i use in search chart/table in the dashboard.

Please help.

0 Karma
1 Solution

nazmy
Engager

I have managed to solve this.
The attribute in GoogleMap Search will be working by using module 'Search' instead of 'HiddenSearch'.

Replace below

<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">      

with

<module name="Search" layoutPanel="panel_row3_col1" autoRun="true">      

and the attribute in google map module will be working properly.

View solution in original post

0 Karma

nazmy
Engager

I have managed to solve this.
The attribute in GoogleMap Search will be working by using module 'Search' instead of 'HiddenSearch'.

Replace below

<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">      

with

<module name="Search" layoutPanel="panel_row3_col1" autoRun="true">      

and the attribute in google map module will be working properly.

0 Karma

chimell
Motivator

Hi nazmy
i advise you to use src=$src$ in your search instead of $src_ip$
I propose you this search

index=cons-network-sec sourcetype=cons-syslog-fw  src=$src$ src_honesty="bad"  | dedup src| rename src AS clientip | table clientip | geoip clientip | lookup threatscore clientip
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...