Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to validate token values to ensure that they are one of the items in a drop-down list?

gn694
Communicator
‎08-31-2016 02:23 PM

I am working on a dashboard whose searches are constrained based on the value selected in a drop-down list.
I am populating the values in the drop-down list using a lookup - all values that appear in the drop-down are provided via a search, there are no static values. The lookup contains a mapping of username and the "options" they are allowed to search for.

So for User A, the drop-down list gets the values option1 and option2 from the lookup. When they select either option everything works as expected. BUT when User A goes to the address bar and modifies the URL from token=option1 to token=option3 the drop-down list shows option3 and the dashboard shows search results for option 3.

Is there a way to validate token values to ensure that they are one of the items in the drop-down list?

Or does anyone have any suggestions on how to handle this (prevent results from being returned when a user provides their own token value that they shouldn't)?

0 Karma
Reply

somesoni2
Revered Legend
‎08-31-2016 02:46 PM

Assuming your current panel searches are of this syntax (just a sample)

your base search option="$tokenOption$" | rest of the search

So, if the options are selected from dropdown, they work as designed but when URL is modified, they show results for options which they're not allowed to. So, update the query like this

your base search option="$tokenOption$" AND [| inputlookup yourlookup.csv | ...some filters for user... | where option="$tokenOption" | table option ] | rest of the search

Explanation: The subsearch (which should match the dropdown inputlookup query) will ensure that the selected OR modified (from URL) token value should still match the allowed value criteria from the dropdown.

For better/accurate solution, please provide your dashboard xml.

Reply

gn694
Communicator
‎09-01-2016 10:48 AM

Thankx for the suggestion, but I don't think I can get that to work in my situation. When using the inputlookup command it has to be the first command in a search. That will not work in my situation because I have a base search in use so the inputlookup would not be the first search (I am using a basesearch that runs as the owner because the users do not have access to the index themselves.) Also, the search I am using to populate the dropdown list uses the rest command, which also has to be the first command in a search (I am doing this to get the currently logged in user name.)

0 Karma
Reply

somesoni2
Revered Legend
‎09-01-2016 12:36 PM

Well the above syntax does work as the inputlookup (or REST) is the first command in the subsearch, so, again, for accurate suggestions, please share your dropdown search and the panel searches.

0 Karma
Reply

gn694
Communicator
‎09-01-2016 02:30 PM

The Dropdown search is:

| rest /services/authentication/current-context/context splunk_server=local | fields + username | lookup customers.csv ID as username OUTPUT Site as SitesAllowed | mvexpand SitesAllowed | fields + SitesAllowed

The lookup is just a csv that indicates which site a user should be able to see logs for:
user1,site1.com
user1,site2.com
user2,site3.com

One of the panel searches is:

<search base="BaseSearch">
<query>| search requested_site=*$selectedSite$* | stats count by status</query>
</search>

The Base search is:

index=webhosting | fields *

and is required because it runs as owner - users do not have access to the index.

0 Karma
Reply

somesoni2
Revered Legend
‎09-01-2016 02:45 PM

Try this as your panel search. I'm just checking that the token value also exists in the dropdown values, else the search should not run

 <search base="BaseSearch">
 <query>| search requested_site=*$selectedSite$*  AND [ | rest /services/authentication/current-context/context splunk_server=local | fields + username | lookup customers.csv ID as username OUTPUT Site as SitesAllowed | mvexpand SitesAllowed | fields + SitesAllowed | search SitesAllowed=*$selectedSite$*  ] | stats count by status</query>
 </search>
0 Karma
Reply

gn694
Communicator
‎09-09-2016 10:16 AM

That is what I had tried when you first suggested the subsearch method, but it was not returning anything. I just tried again, and get No results found. I know the subsearch works, since I can run it on its own and get the desired output (a site name) when I replace the token with an actual site value.

Maybe it is an issue because I am using a basesearch on the dashboard?

I made a new panel that used the base search and for the query I entered the subsearch and got no results. Once I removed the base search from this new panel, things worked for this new test panel and the Selected Site was returned.

0 Karma
Reply

somesoni2
Revered Legend
‎09-09-2016 10:26 AM

Can you provide your dashboard xml?

0 Karma
Reply

gn694
Communicator
‎09-09-2016 11:06 AM

Here is the Dashboard XML.... I removed all but one panel to make it easier to sort through:

<form>
  <label>Dashboard Clone</label>
  <description>Dashboard for TESTING - validating token value</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timePicker" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="selectedSite" searchWhenChanged="true">
      <label>Sites</label>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| rest /services/authentication/current-context/context splunk_server=local | fields + username | lookup customers.csv ID as username OUTPUT Site as SitesAllowed | mvexpand SitesAllowed | fields + SitesAllowed</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>SitesAllowed</fieldForLabel>
      <fieldForValue>SitesAllowed</fieldForValue>
    </input>
  </fieldset>
  <search id="BaseSearch" ref="utweb_basesearch">
    <earliest>$timePicker.earliest$</earliest>
    <latest>$timePicker.latest$</latest>
  </search>
  <row>
    <panel>
      <chart>
        <title>Count By Status</title>
        <search base="BaseSearch">
          <query>| search req_host=*$selectedSite$* AND [| rest /services/authentication/current-context/context splunk_server=local | fields + username | lookup customers.csv ID as username OUTPUT Site as SitesAllowed | mvexpand SitesAllowed | fields + SitesAllowed | search SitesAllowed=*$selectedSite$*  ] | stats count by status</query>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <fields>[]</fields>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...