All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Infoblox DHCP Fingerprinting

sdeforke
New Member
‎02-03-2017 06:56 PM

Looking at the Dashboard for Top Device Classes, I tried modifying the Fingerprint panel and changed it to multiselect from dropdown, however, the results returned are from only one Fingerprint choice. I am not able to choose more than one Fingerprint. I need to be able to specify multiple Fingerprint choices and return results on those multiple Fingerprint.

Tags (1)
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎02-05-2017 07:49 PM

@sdeforke - Are you using the Splunk Add-on for Infoblox? I just want to make sure your post is tagged appropriately. Thanks!

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎02-04-2017 06:29 AM

You have a few changes to make. First, go back to your newly modified Multiselect. The overview is that in the "Token Options" section, you need to tell it how to build the portion of the search string you need, then in the search you'll need to tell it to use that token.

In my sample case (tossed together from some firewall information), I used a multiselect drop down to pick my "OUT" interface. This is ONLY an example, give more specifics and we can probably help more, but hopefully this will be enough.

So, first, the search I need the dashboard panel to run should look something like the below. You may want to open the search for that panel in Search and figure out what you actually need here, or maybe you already know well enough.

index=myindex sourcetype=mysourcetype OUT=X OR OUT=Y OR OUT=Z | blah blah.

So for my Token Options, I have

Token : out_tok (just a naming convention I learned for tokens ages ago).

Token Value Prefix : OUT=
Delimiter : OR
(Note, there is a space both before and after that " OR ")

If you watch the little "preview" section below the delimiter as you do this, you'll see it show you an example like OUT=value1 OR OUT=value2 OR ... and since that's exactly what I want to see, we're good here.

A note: you probably won't have to change the Dynamics Options Search String here (farther down the multiselect's properties), but you MAY want to run it in Search (there's a link right below it) to see what it actually outputs.

Now, on to the changes to the dashboard panel.

Click the Edit button for the search (Magnifying glass) and "Edit Search". You need to now wedge your token (which again will end up like "OUT=X OR OUT=Y") into your search, preferably the base search but that may take fiddling to figure out where's best. So in my case, I had 

index=myindex sourcetype=mysourcetype | eval source_isLocal=....<big long nasty thing here>

So I modified it to 

index=myindex sourcetype=mysourcetype $out_tok$ | eval ....<big long nasty thing here>

After that I saved the dashboard, then REFRESHED THE PAGE WITH F5. This isn't ALWAYS necessary, but can often be.

Then my drop down showed the two interfaces, each of which I could select, and which then filtered my dashboard panel.

Here's the doc for multiple value selections, There are links in there for each option type and how to put things together. A little searching or digging will turn up a lot more, including several Splunk education courses that will help too.

0 Karma
Reply

sdeforke
New Member
‎02-05-2017 10:03 PM

Thank you very much for your feedback. So this what I'm running into. If I manually run a search, I have no problems, I can enter multiple values for my search and get my desired results. However, in the dashboard, if I make multiple choices in the multiselect panel, my only results are for my first choice and any other added choices are ignored. Here are my Token Options for the multiselect panel:
Token: finger_print
Default: blank
Initial Value: blank
Token Prefix: blank
Token Suffix: blank
Token Value Prefix: (FINGER_PRINT=="
Token Value Suffix: ")
Delimiter: OR
Preview: (FINGER_PRINT=="value1") OR (FINGER_PRINT=="value2") OR ...

The syntax in the preview is correct and works during a manual search.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎02-06-2017 06:13 PM

Can you paste the entire search from the panel that doesn't work? Please be sure to format the code using the "Code Sample" button (the 101010 button) so that the formatting doesn't get lost?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...