Worry not, because as long as you select "Search on Change" (searchWhenChanged="true" in the SimpleXml) then each input field with the same token value will stay synchronized as you make changes to its selected value. As a result, one input could dynamically load selection options and the other acts as a free text input. Essentially, this approach takes advantage of the fact that there is no restriction on multiple inputs using the same token name. This approach is a little easier to implement but a little more awkward for users of the dashboard. But you know what they say about assuming. Therefore, you assume you have to choose between using a dynamic input or a free text input, but not both. The challenge is that the free-text input field is one of the few form fields that doesn't support Dynamic Options. As a result, you'd like the user field to be editable so you can add in the user when you know it but the data doesn't. Unfortunately, sometimes your user correlation finds no match and your left with some ineffective panels. Ideally, the dashboard would also correlate the asset's owner or user to show security-related usage data points. When suspicious activity occurs with an asset, a ticketing system directs Security Analysts to use this dashboard by providing a dynamic link with either the IP or Host inputs prepopulated. On top of the dashboard are input fields for IP and Hostname. Imagine you have a nifty new security dashboard in Splunk that provides a holistic view of the activity around an asset (no, I'm not talking about just recreating the Asset Investigator from Enterprise Security). Let's explore how to make a dashboard form with an input that is both autopopulated from a correlation search, but also editable on the fly when needed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |