Inputs & Tokens
I've gotta say we've got a pretty good looking dashboard coming along so far, but there is more of the journey left still my apprentice.
What if I told you that you can actually make dashboards dynamic?! There are many who aren't as trained in The Force Cribl Search as you are. Creating dynamic dashboards is a great way to give those users access to the analytics they need, and even allow them to manipulate the data presented, without knowledge of the Cribl Search language. This is done using inputs and tokens.
Inputs
Inputs help constrain the view of visualization panels in a dashboard by linking them to specific data sources. When you save an input, a new input box at the top of your dashboard displays values related to the input you created. Selecting options in the input box changes the display of data in any linked visualizations. There are several types of inputs available to you.
Dropdown
Dropdown inputs allow users to choose from a list of values you’ve specified to constrain linked visualization panels to those values. The list of values can be static (where you type all options available to the user), or dynamic (where the results of a search provide the values of the dropdown).
Time Range
The Time Range input allow users to limit any visualization in a dashboard to a specific time period. In essence this is a time picker for your dashboard. Changing the time in the time input only affects the panels configured to reference the input. All other panels will continue to use the time range configured within their panels.
Text
The Text input enables users to enter freeform text so that linked visualization panels display only data with that text value. Think of this as a fancy free-text search box.
Number
The Number input allows users to enter a number. Optionally, you can enter a default value and minimum and maximum values.
Adding Inputs
It's time to supercharge this dashboard with a few inputs.
- While in
Editmode, click theAdddropdown. - Click
Input. - For
TypeensureDropdownis selected. - For the
TitleenterProvider Types. - For
input_IDenterprovider_type.tipThe
input_IDis how you will reference thisinputwhen linkingpanelsto theinput. Everyinputmust have aninput_ID. By default, a genericinput_IDis populated, but using adescriptive input_ID(containingalphanumeric characters,underscores, andhyphensonly) is highly recommended as it makes it easier to know what eachinputis used for. - For the
HOW TO POPULATE THE DROPDOWNoption selectRun a Search. - In the
query boxenter:dataset="$vt_datasets"
| project provider.type
| distinct provider_type
| sort by provider_type asc - For the
Field nametypeprovider_type. - For the
Default valuefield enter*. - Toggle
MultiselecttoYes. - Click
Search. - Close the
Editmodal. - Click
Save.
At this point, the input will have been added to the top of your dashboard. You can click the dropdown on your input to see if results are showing up as expected. For this input, we are using a query that lists all of our datasets and telling our dropdown input to use the id field from our query as the list of values for the input. If configured correctly we should be able to see a list of datasets when we expand the dropdown.
Tokens
Once the input is configured it must be linked to the panels that you would like to have leverage the input's value. This is where tokens come into play. The token is essentially a variable that stores the input value. Anywhere the token is placed in a query will be replaced with the actual value of the input that corresponds to that token. If the input value changes, so does the token value.
The format of a token in the input's ID surrounded by the $ character. For example, the token that we would need to use for the provider_type input that we created would be $provider_type$.
To make use of our new input let's add the token to a couple of panels.
- Click the
edit
icon at the top right of the Datasets per Providerpanel. - Replace the query with:
dataset="$vt_datasets" id in ("cribl*", "default*") provider.type in($provider_type$)
| summarize datasets=dcount(id) by provider.typenoteThe change that we've made here is we've added
provider.type in($provider_type$)after ouridfilter. This will replace ourtokenof$provider_type$with whatever we select from ourinput, effectivelyfilteringour entire result set to ourinput's value. - Click
Search. - Close the
Editmodal. - Click
Save. - Click the
edit icon at the top right of the Datasetspanel. - Replace the query with:
dataset="$vt_datasets" id in ("cribl*", "default*") provider.type in($provider_type$)
| project dataset=id, description - Click
Search. - Close the
Editmodal. - Click
Save.
Let's see how we did!
- Clear the contents of the
Provider Typesdropdown. - Select 2-3
provider types. - Click
Apply.
And voila! Both panels should now show updated results that only apply to the selected provider types.
Adding a Time Range Input
Using the time range input type has a slightly different workflow.
- While in
Editmode, click theAdddropdown. - Click
Input. - For
TypeselectTime Range. - For the
TitleenterTime Range. - For the
input_IDentertimepicker. - Close the
Editmodal.
Now we've added a Time Range input to our dashboard. To visually show it's functionality we'll create a new panel that is better suited for showing data over time.
- While in
Editmode, click theAdddropdown. - Click
Visualization. - For the
TitleenterSearches by Dataset. - In the
query boxenter:dataset="$vt_jobs"
| project _time, id, dataset=resolvedDatasets
| mv-expand dataset
| timestats searches=dcount(id) by dataset - Click
Search. - For the
TypeselectArea. - Above the
query box, click thetime unit(ie. hour ago, days ago, etc.). - Click the
Linktab. - For
Time range inputselectTime Range(this is theinputwe just created). - Click
Apply. - Close the
Editmodal. - Click
Save.
Awesome job. Let's take it for a spin.
- Click the
Time Rangeinput. - Change the
timefrom1 hour agoto6 hours ago. - Click
Apply.
You can see our Searches by Dataset panel has magically updated to reflect the longer time period.