From 1f9a5ffe587865dee69df4240b801a8f8684c24b Mon Sep 17 00:00:00 2001
From: Sean Whalen <44679+seanthegeek@users.noreply.github.com>
Date: Wed, 27 Mar 2024 17:19:58 -0400
Subject: [PATCH] Splunk dashboard bug fixes

---
 splunk/dmarc_aggregate_dashboard.xml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/splunk/dmarc_aggregate_dashboard.xml b/splunk/dmarc_aggregate_dashboard.xml
index 89a5920d..7cf0bfea 100644
--- a/splunk/dmarc_aggregate_dashboard.xml
+++ b/splunk/dmarc_aggregate_dashboard.xml
@@ -7,7 +7,7 @@
       | table *
       | rename spf_results{}.domain as envelope_domain spf_results{}.result as spf_result spf_results{}.scope as spf_scope dkim_results{}.selector as dkim_selector dkim_results{}.domain as dkim_domain dkim_results{}.result as dkim_result
       | fillnull value=null source_reverse_dns source_base_domain dkim_selector dkim_domain dkim_result source_type source_name
-      | search dkim_selector=$dkim_selector$ dkim_domain=$dkim_domain$ source_type=$source_type$ source_name=$source_name$
+      | search dkim_selector=$dkim_selector$ dkim_domain=$dkim_domain$ source_type="$source_type$" source_name="$source_name$"
     </query>
     <earliest>$time_range.earliest$</earliest>
     <latest>$time_range.latest$</latest>
@@ -78,9 +78,17 @@
         | stats count by source_type</query>
       </search>
     </input>
-    <input type="text" token="source_name" searchWhenChanged="true">
+    <input type="dropdown" token="source_name" searchWhenChanged="true">
       <label>Source name</label>
       <default>*</default>
+      <choice value="*">any</choice>
+      <initialValue>*</initialValue>
+      <fieldForLabel>source_name</fieldForLabel>
+      <fieldForValue>source_name</fieldForValue>
+      <search>
+        <query>index="email_ess" sourcetype="dmarc:aggregate"
+        | stats count by source_name</query>
+      </search>
     </input>
     <input type="text" token="source_country" searchWhenChanged="true">
       <label>Source country ISO code</label>