How to create a dashboard where i can insert the r...

mrtolu6 · ‎07-10-2017

I would like to create a dashboard where i can get the result from one panel (query 1) and insert the results into Panel 2 and 3. This dashboard should be in form format where type an IP address in a box, then add the the IP address to query 1. Query 1 results will then be inserted into query 2 and 3 which will display the result on each panel.

query 1 sourcetype=name app=http-proxy $token1$| stats count by src_ip
I would like to add the result from query 1 and insert the result to query 2 and 3.

query 2

index=name2 $tokenResultfromQuery1$   | rename user AS User clientip AS "Client IP Address" assigned_ip AS "Assigned IP Address" vpn AS VPN reason AS Reason |  table User "Client IP Address" "Assigned IP Address" Group VPN "Start Time" | sort-_time

query 3

sourcetype="WinEventLog:Security" $tokenResultfromQuery1$ | stats count by user, src_ip

lguinn2 · ‎07-10-2017

You need a form, not a dashboard. You will also need a base search for the query and the post-process searches for the two panels. This will require editing the Simple XML. Here are the documentation references:

Build and Edit Forms: http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/Buildandeditforms

Post-process searches: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches

I think that the Splunk Dashboard Examples App may be more helpful than just the documentation...

There may be other ways to do this, but I think this is the most direct.

How to create a dashboard where i can insert the result of one dashboard panel and add the result to another panel?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases