Dashboards & Visualizations

help on dropdown list in a chart panel

jip31
Motivator

hi

I use the search below in a chart panel

`CPU` 
| fields process_cpu_used_percent host process_name 
| where process_cpu_used_percent>50 
| eval host=upper(host) 
| dedup host process_name 
| eval process_name=case(process_name like "mfev%", "mfev", process_name like "mcdatrep", "mcdatrep", process_name=="mcshield", "mcshield", process_name=="amupdate", "amupdate", process_name=="McScript_InUse","McScript_InUse", process_name=="macompatsvc", "macompatsvc", process_name=="FrameworkService","FrameworkService", process_name=="McScanCheck", "McScanCheck", process_name=="Sysmon", "Sysmon")
| stats count(host) as Total by process_name 
| sort -Total 

I have added a dropdown list in order to filter by process_name

    <input type="dropdown" token="tok_filterprocess" searchWhenChanged="true">
            <label>Filter by Process</label>
            <default>*</default>
            <initialValue>*</initialValue>
            <choice value="McAFEE">McAFEE</choice>

All service you can see in my search concerns the "McAFEE" process
Even if i have added process_name=$tok_filterprocess$ in my search I dont know how to link all these services with the choice value "McAFEE"
Could you help me please?

Tags (1)
0 Karma
1 Solution

ololdach
Builder

Hi,

the way I understand your challenge, you try to map a set of process_name values to a "group" named "McAFEE". Such a way that when you select "McAFEE" in the dropdown, only see those process_name values in your table that are associated with McAFEE.

If this is, what you would like to do, the solution is a lookup table (process_group.csv) in a format like such:

process_name, process_group
"mcshield","McAFEE"
"amupdate","McAFEE"
...

Add the map to your search and select the matching fields:

 ...| dedup host process_name | lookup process_group.csv process_name | search process_group="$tok_filterprocess$" | ...

Hope it helps
Oliver

View solution in original post

0 Karma

ololdach
Builder

Hi,

the way I understand your challenge, you try to map a set of process_name values to a "group" named "McAFEE". Such a way that when you select "McAFEE" in the dropdown, only see those process_name values in your table that are associated with McAFEE.

If this is, what you would like to do, the solution is a lookup table (process_group.csv) in a format like such:

process_name, process_group
"mcshield","McAFEE"
"amupdate","McAFEE"
...

Add the map to your search and select the matching fields:

 ...| dedup host process_name | lookup process_group.csv process_name | search process_group="$tok_filterprocess$" | ...

Hope it helps
Oliver

0 Karma

jip31
Motivator

hi oliver, thanks for your proposal
but do you think is mandatory to do that with a lookup or there is another solution?
i would prefer without lookup...

0 Karma

ololdach
Builder

Hi, IMHO lookup is the fastest and most efficient way. You could use case statements, which make the code look clumsy and hard to maintain in a non-trivial setting. If you would like to use an index instead of .csv, you could index the map and do a ...| join type=inner process_name [ search index=yourindex process_group=$tok_filterprocess$ | table process_name, process_group] | ... in your search, adding some overhead and complexity. Alas, if you use the "inner" join, you can leave out the additional search that selects the matched processes, as this is implicitly being done in the join. Oliver

0 Karma

jip31
Motivator

thanks for all

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...