SPLK-1002 Splunk Core Certified Power User – Splunk Inbuilt & Advanced Visualizations Part 2

3. Dashboard Filters: Text Box

Edit search option. Time Range picker is our shared token that we have just created. So you can make this. This is one way to edit the input. The second way is you can go to Source where you can see here there is a tag added earliest, time dot earliest and Time dot latest which represents your token value time that has been defined here. That is last 30 days by default and the token name is Time. So this token is getting passed in this tag.

That is time dot earliest and Time dot latest. We have edited three panels. As you can see, this is the second panel time dot latest. Similarly, the third panel time dot latest and Earliest. I’ll copy these two lines and I’ll paste this as part of our other two panels that are existing. As you can see, Earliest and Latest are hard coded for last 30 days and change it to use as a token. Let me save this. So as you can see now all the dashboard panels are refreshed after saving.

Let me change this for previous month submit, all five panels in our dashboards have been reloaded. This confirms that whatever the values that we change here will be applicable to all these sources or our panels. This is by adding a time filter. Now let us add an another filter. Let’s say we have a text box. To add text box, click on Add Input and select Text. I’ll say Source IP or you can give a clear description enter Source IP. So here also there is an option.

As soon as you change the Source IP, these panels will be refreshed. We’ll keep this checked in order to see these changes. So that if you check this before clicking on Submit, you can just hit your Enter key so that automatically the dashboards will be reloaded. I’ll give this token name as src or you can name

it whatever the token value you need by default I’ll keep it star so that whenever my dashboard reloads or whenever my dashboard is open, it should contain a star value. I’ll click on apply. As you can see, by default it will have a star value defined here and the label of Enter Source IP. Let me save this. Now we have our next filter.

That is a text box. I’ll copy one of this Source IP or the client IP here and I’ll enter here and click on Submit. As you see, nothing changes even if I hit Enter because this token is not being accepted by any of this panel as of now. So what will we do? We’ll take this token, the token name is Source. Go to your search function again. Before charting function, make sure this is the field name which you are searching for and the token you are passing should be enclosed within a dollar symbol. So that take the value from the text box and put it in your search we’ll see how it works.

Click on apply. As you can see our dashboard or the panel refreshed here. Let me click on Save and open this search. Again, I clicked on Save now as you can see, since there is a source IP mentioned here, it is showing only statistics for related to those source. I’ll open this you’ll be able to see the search with the argument that we passed as part of our text box.

So whatever we enter here it will be replaced in a search query under the token source that is represented by Dollar source and Dollar. Our search has loaded. As you can see, this is the text client IP is equal to and this is the text box value that we passed as part of our filter to this panel. So let me quickly grab the same thing that is client type is equal to Dollar source dollar and I’ll apply it to other panels so that all the panels will be reflecting only the source that we enter as part of our filtering.

4. Dashboard Filters: Dropdown

Apply and save this. You can also do it by editing xml. If you find this as difficult, you can click on Edit, choose Source to Edit and here you can directly copy paste your search query on each panel wherever it is applicable. To get the client IP from the text box that we have created. That is our second filter. That is text box. Let us create a drop down.

So this is drop down checkbox radio button multiple select you have many options. You can choose whichever you want and the configuration is almost similar. This will be our I’ll choose for source itself select Source drop down example and I’ll select this token as drop down value. This should be without spaces. So drop down value the default value, you can define it here. Give me all the sources. This is the display value and this is the argument that is passed for your search.

So this will be my default value and I’ll add this IP IP number one, that is 87, 194, 216, 51, which is as part of our previous search criteria. You can also add IP number two and you can give any IP used to something like this, whichever you choose to give it as. And you can click on Apply and you can choose by default which value to select all our first IP or the second IP which we have selected here. As you can see, we have defined these values as part of static options.

In future tutorials we’ll see how we can generate these values as part of our dynamic filters for now. Static Values we have added three all that represents Star IP One represents some specific IP and any number of ips can be followed upon by default.

I’ll choose all. And I’ll click on apply save this. We know that even though we have added a filter, it doesn’t respond to our dashboard yet because we are not processing those information. As I reenter the default value that is Star, we’ll get all the information that we are looking for and we can see how to accept this drop down value. This is our token. We are again passing our client IP itself as part of our drop down. The token definition is almost similar. Here we give the token as source for our text box. For dropdown we are giving it as drop down value.

Click on apply. So here we have all the source. Let me choose IP One submit as you can see, we have got only results of IP One. In the similar way you can edit all these dashboards and add your drop downs respectively. At any point of time these dashboards can be customized. If you don’t need any of these filters, you can just click on Remove and it will be gone. This is one of the major benefits of splunk, which makes it more customizable as per the needs and whenever it is not necessary, you can just delete these filters and rebuild your dashboard. Probably in a better fashion.

5. Dashboard Filters: Dynamic Filters

In this module we will be seeing more about the drill down features and how we can enhance the dashboards that we have created as part of our previous modules to narrow down the events which are generated by these IP addresses or the host names or any criteria which we use to to drill down. Or we can say something as narrowing down the cause of the issue.

We’ll see how splunk dashboards can be enhanced so that without writing additional search queries, it can drill down from one dashboard to another dashboard or another search results where it can give much more information about the events. As part of this module, we’ll see what is a drill down feature, that is a narrowing down for the cause, or narrowing down our intended result that we are supposed to find, and how to configure this drill down feature and how to pass a row value or a column value. Now, let us say as part of our previous modules, we have created a couple of dashboards or demo dashboard that is here.

We can see there are multiple panels. These panels will be having rows and columns. Let’s say this row, you need to pass this value to another dashboard, or when you click this, it should drill down. To give you more information about this IP. Let’s say I need to see what all the pages accessed by this IP address or actual raw logs that are generated by this IP address. So as soon as you click this, this will be automatically passed to next dashboards and you’ll be able to narrow down much further. By the end of this tutorial, you’ll be aware how this drill down feature can be configured and how this feature can add value into your investigation, that is passing the row values and column values.

And you can also pass this values as part of the same dashboard. Let’s say as soon as I click here the same dashboard, without entering any details here, this dashboard should reload. We can also do that saying that when I click this icon here or the IP address here, pass this value into the same dashboards and this dashboard should be able to rerun again.

And one more is once I click this or select this IP address, it should reload or pass it into a different dashboard where further analysis is carried upon. So these are some of the concept that we should be able to cover as part of this video. For the purpose of demonstrating this, I have created one more dashboard named as drill down.

This is the dashboard for the demonstration purpose I’ve created. No need to worry, these dashboards will be available when you are accessing the lab so that you’ll be able to see what all this dashboard contains and how we are configured and how we have enabled the drill down. As you can see, this dashboard has two filters. It says get value from the previous dashboard.

We’ll see how we can send the values that are selected by our mouse click on this chart into these dashboards. That is one for a text value. The second one is your drop down. You can send it to both. And the third panel is your complete information of the logs or the raw event consisting the specified source IP. And here it gives you a total number of events generated by the IP that we got from the previous dashboard. So we will see how to configure drill down.