topic Re: Splunk Form in Dashboards & Visualizations

Splunk Form

alexvarghese98 — Sat, 30 Jun 2018 13:09:43 GMT

Hi Splunk Community,

I have been working with Splunk for quite a while and recently wanted to create my own Splunk form using XML. A form that I am currently attempting to create is for a user to input multiple source IP addresses (ex. 10.1.1.1.1, 10.2.2.2.2,...) and Splunk would display all of the user's information including their full name, phone number, and email address from the source IP addresses that were inputted into the form. For example, if I type in 10.1.1.1.1,10.2.2.2.2 then Splunk would display the full name, phone number, and email addresses of those two source IP addresses. This is what I have so far:

Splunk Phishing Email Form:
A simple XML form that displays the user's information once the Source IP address is inputted.

<input type= "text" token="Source_IP">
<label>Enter a Source IP Address </label>
</input>

<row>
<panel>
<search>
    <query>
        index="wineventlogs" user!= "*$"
        [ eval src_ip = "Source_IP" | makemv src_ip delim="," | mvexpand src_ip | fields src_ip]
        | dedup user | table user, user_nick, user_phone, user_email 
    </query>
</search>
</panel>
</row>

I cannot test this into Splunk because for some reason I am not able to access it at home. I would very much appreciate it if anybody would tell me if the XML code is right. If not, could you please tell what is wrong with it and how I could fix it. Thank you!

Re: Splunk Form

richgalloway — Sat, 30 Jun 2018 19:03:25 GMT

You need <form> and </form> elements at the beginning and end, respectively.

Splunk is free so you can install the software on your local machine for development testing.

Re: Splunk Form

alexvarghese98 — Sat, 30 Jun 2018 19:54:36 GMT

Hello,

Thanks for the reply. I actually had added the form and fieldset tags but I don't know why it didn't appear in my sample code. I tried to login into Splunk at home and for some reason it is informing me that my license was expired and that I have to login as an administrator.I believe that the administrator's credentials are admin, changeme right? If so, I wasn't able to login with those credentials.

Re: Splunk Form

richgalloway — Sat, 30 Jun 2018 20:16:35 GMT

Yes, those are the default credentials. You may have changed the password the first time you logged in, though.
If you can't remember the new password, you can revert to the default by renaming the $SPLUNK_HOME/etc/passwd file and restarting Splunk.

Re: Splunk Form

alexvarghese98 — Sat, 30 Jun 2018 20:23:34 GMT

Thank you so much and have a great day!

Re: Splunk Form

woodcock — Sun, 01 Jul 2018 02:41:24 GMT

Be sure to click Accept to close the question, @alexvarghese98!