I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it.
<form> <label>Software Inventory</label> <fieldset submitButton="false" autoRun="false"> <input type="dropdown" token="software_picker" searchWhenChanged="true"> <label>Software</label> <choice value=""falcon-sensor" "Crowdstrike Windows Sensor"">Crowdstrike</choice> <choice value=""*qualys*"">Qualys</choice> <choice value=""*SecureConnector*"">Forescout</choice> <prefix>tinv_software_name IN (</prefix> <suffix>)</suffix> <default>"falcon-sensor" "Crowdstrike Windows Sensor"</default> </input> <input type="dropdown" token="environment_picker" searchWhenChanged="true"> <label>Environment</label> <choice value="On-Prem">On-Prem</choice> <choice value="AWS">AWS</choice> <choice value="env2">env2</choice> <choice value="env3">env3</choice> <choice value="env4">env4</choice> <prefix>Environment IN (</prefix> <suffix>)</suffix> <default>On-Prem</default> </input> <input type="dropdown" token="os_picker" searchWhenChanged="true"> <label>Operating System</label> <choice value="windows">Windows</choice> <choice value="unix">Linux</choice> <default>windows</default> </input> </fieldset> <row> <panel> <table> <search> <query>| tstats count where index IN ($os_picker$) host!=*.txt by host | eval host=lower(host) | eval Environment=case(host LIKE "%desktop%" OR host LIKE "%z1-%" OR host LIKE "ec2%" OR host LIKE "%z2-%" OR host LIKE "%z-%" OR host LIKE "%z3-%" OR host LIKE "i-%", "AWS", host LIKE "cc%", "Communicorp",host LIKE "%win%" OR host LIKE "%awn%", "Argus", host LIKE "%empoweredbenefits.com", "Empowered Benefits",1=1,"On-Prem") | search $environment_picker$ | join host type=outer [| search index=$os_picker$ tag=software tag=inventory $software_picker$ | eval host=lower(host) | fields host tinv_software_name tinv_software_version ] | fillnull value="-" tinv_software_name | rename tinv_software_name AS "Software Name" tinv_software_version AS "Version" | fields host "Software Name" "Version" Environment | sort -tinv_software_name</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>
Hope this helps. Let me know if you have any suggestions.