Dashboards & Visualizations

I have a drop-down box to select a value to populate a search on my dashboard, but why are no statistics being shown?

SecureIA
Path Finder

Hi helpful people,

I have an interactive dashboard which can search different time scales and drilldown on users. Next, I wish to drilldown on two different locations; more specifically, two different gateways. My current search string is below:

host=CATSG14 "Failed login" GATEWAY="*" AND "Failed login" | stats count by USER_IDv3 | sort - count | search USER_IDv3="$USER_IDv3$" GATEWAY="$GATEWAY$"

My idea is to have a drop-down box which lists the gateways and from this, I can sort. The problem I'm getting at the moment is that no Statistics are being shown. Only when I delete the GATEWAY="$GATEWAY$" from the string, do stats finally appear. Where I am I going wrong?

Any help would be massively appreciated.

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

It's because you don't have field GATEWAY in your stats function.

Instead of doing the filter, try putting it in the main search itself like

host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" AND "Failed login"  AND USER_IDv3="$USER_IDv3$"| stats count by USER_IDv3 
Happy Splunking!

View solution in original post

0 Karma

alemarzu
Motivator

Hi mate, code wasn't tested but try this.

EDIT: Made some changes.

<form>
   <label>YourLabel</label>
   <fieldset submitButton="false">
     <input type="time" token="time1" searchWhenChanged="true">
       <label>Select Time</label>
       <default>
         <earliest>-7d@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="gateway" searchWhenChanged="true">
       <default>*</default>
       <label>Select gateway</label>
       <populatingSearch fieldForValue="GATEWAY" fieldForLabel="GATEWAY" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY="*" | dedup GATEWAY | table GATEWAY ]]>
       </populatingSearch>
     </input>
     <input type="text" token="userid" searchWhenChanged="true">
       <default>*</default>
       <label>Select UserID</label>
       <populatingSearch fieldForValue="USER_IDv3" fieldForLabel="USER_IDv3" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3="*" | dedup USER_IDv3 | table USER_IDv3 ]]>
       </populatingSearch>
     </input>
   </fieldset>
   <row>
     <panel>
         <title>example</title>
         <search>
           <query>host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3=$userid$| stats count by USER_IDv3 | sort - count</query>
           <earliest>$time1.earliest$</earliest>
           <latest>$time1.latest$</latest>
         </search>
          <form>
   <label>YourLabel</label>
   <fieldset submitButton="false">
     <input type="time" token="time1" searchWhenChanged="true">
       <label>Select Time</label>
       <default>
         <earliest>-7d@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="gateway" searchWhenChanged="true">
       <default>*</default>
       <label>Select gateway</label>
       <populatingSearch fieldForValue="GATEWAY" fieldForLabel="GATEWAY" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY="*" | dedup GATEWAY | table GATEWAY ]]>
       </populatingSearch>
     </input>
     <input type="text" token="userid" searchWhenChanged="true">
       <default>*</default>
       <label>Select UserID</label>
       <populatingSearch fieldForValue="USER_IDv3" fieldForLabel="USER_IDv3" earliest="$time1.earliest$" latest="$time1.latest$">
         <![CDATA[host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3="*" | dedup USER_IDv3 | table USER_IDv3 ]]>
       </populatingSearch>
     </input>
   </fieldset>
   <row>
     <panel>
         <title>example</title>
         <search>
           <query>host=CATSG14 "Failed login" GATEWAY=$gateway$ USER_IDv3=$userid$| stats count by USER_IDv3 | sort - count</query>
           <earliest>$time1.earliest$</earliest>
           <latest>$time1.latest$</latest>
         </search>
       <!-- YOUR OPTION ATTRIBUTES
         <option name="charting.drilldown">all</option>
        -->
     </panel>
   </row>
</form>
0 Karma

SecureIA
Path Finder

Cheers for replying, it doesn't seem to work I'm afraid.

0 Karma

alemarzu
Motivator

Made some changes, check it out.

0 Karma

SecureIA
Path Finder

Thank you so much 🙂 I managed to get it to work. All the best!!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

It's because you don't have field GATEWAY in your stats function.

Instead of doing the filter, try putting it in the main search itself like

host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" AND "Failed login"  AND USER_IDv3="$USER_IDv3$"| stats count by USER_IDv3 
Happy Splunking!
0 Karma

SecureIA
Path Finder

Sure,

Gateway Activity Clone
Dashboard showing activity on ARCA gateways

<input type="time" token="field1" searchWhenChanged="true">
  <label>Time</label>
  <default>
    <earliest>@d</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="text" token="USER_IDv3" searchWhenChanged="true">
  <label>User Search</label>
  <default>*</default>
  <prefix>*</prefix>
  <suffix>*</suffix>
</input>
<input type="dropdown" token="GATEWAY" searchWhenChanged="true">
  <label>Gateway Search</label>
  <default>*</default>
  <prefix>*</prefix>
  <suffix>*</suffix>
  <choice value="*">Overall</choice>
  <choice value="RLIGWAUTH">RLI</choice>
  <choice value="INTGWAUTH">Internet</choice>
  <valuePrefix>*</valuePrefix>
  <valueSuffix>*</valueSuffix>
</input>
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Could you please use a text for user and gateway and run the below search in search window

 host=CATSG14 "Failed login" GATEWAY="<your gateway value>" AND "Failed login"  AND USER_IDv3="<your user value>"| stats count by USER_IDv3

and make sure that you are getting some value.

Then use the below search in your dashboard and input the same values for user and gateway.

 host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" USER_IDv3="$USER_IDv3$"| stats count by USER_IDv3 
Happy Splunking!

SecureIA
Path Finder

Absolutely bang on mate!! Thank you so much!! Cheers!! 🙂

0 Karma

SecureIA
Path Finder

Thanks for your reply, I've tried this and still nothing. When I put GATEWAY in the stats, it looks promising but then asks for numeric data.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Do you mind showing your XML snippet. If the tokens are substituted correctly, the below should work

host=CATSG14 "Failed login" GATEWAY="$GATEWAY$" USER_IDv3="$USER_IDv3$"

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...