Splunk Search

Static List of Users

bgill0123
Loves-to-Learn

I have created a static list of users in a dropdown on one of my dashboards. There are only 15 of them so I decided not to create a lookup table. On the same dashboard I have a panel with all the web traffic from all of these users. This works fine, I would like to be able to choose one of the users from the drop down and see only their traffic. I have the drop down set, but I can't get the search to return only the traffic from the selected user. How do I go about making this happen?

Tags (1)
0 Karma

niketn
Legend

@bgill0123, in order for the community to assist you, you will have to provide more details. These Users and their traffic that you intend to capture are within Splunk or your Custom Web Application that you are monitoring via Splunk?

If this is Custom Web Application what kind of application/log is it that you are monitoring? Are you using existing App from Splunkbase like that for IIS or Tom Cat etc? Or is it your custom App built specifically for your Web application?

Can you post some events from logs which you intend to use in order to identify users and their traffic? Please mock/anonymize any sensitive information that you have in the logs. Can you also give your current search along with dropdown code (mask/anonymize static user names)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mayurr98
Super Champion

hey it is always efficient to put token's in the main search if you can in order to get fast results.
Try this run anywhere XML

<form>
  <label>Dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>Select User</label>
      <default>*</default>
      <choice value="admin">admin</choice>
      <choice value="n/a">n/a</choice>
      <choice value="splunk-system-user">splunk-system-user</choice>
      <choice value="*">ALL</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Report for $user$ user</title>
      <table>
        <search>
          <query>index=_audit user="$user$"| stats count by user </query>
          <earliest>-15m@h</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

let me know if this helps!

0 Karma

493669
Super Champion

Hi @bgill0123,
Try this anywhere search:

<form>
   <label>Dropdown</label>
   <fieldset submitButton="false">
     <input type="dropdown" token="sourcetype" searchWhenChanged="true">
          <label>Select a sourcetype</label>
          <default>*</default>
          <choice value="scheduler">scheduler</choice>
          <choice value="splunk_web_access">splunk_web_access</choice>
          <choice value="splunk_web_service">splunk_web_service</choice>
          <choice value="splunkd">splunkd</choice>
          <choice value="splunkd_access">splunkd_access</choice>
          <choice value="splunkd_ui_access">splunkd_ui_access</choice>
        </input>
   </fieldset>
   <row>
     <panel>
       <title>Dropdown- sourcetype=$sourcetype$ </title>
       <table>
         <search>
           <query>index=_internal sourcetype="$sourcetype$"|stats count by sourcetype </query>
           <earliest>-15m@h</earliest>
           <latest>now</latest>
         </search>
       </table>
     </panel>
   </row>
 </form>

instead of sourcetype try user here...
Let me know if it helps!

0 Karma

cmerriman
Super Champion

can you share the source code with the dropdown input and the web traffic panel?

you are going to need to use the token from the dropdown in the search string with the web traffic data. something like index=web_traffic user=$user$.... but it all depends on what the field and token is called and if it is all structured properly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...