All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run.

vrajshekar
Path Finder
‎06-02-2020 08:51 AM

I have integrated Splunk with Demisto. I am trying to run the below search from Demisto:

source="squid" clientip="xxx" | where server_ip IN(${DBotAvgScore.Indicator}) | stats count by server_ip
DBotAvgScore.Indicator is an array that contains the below values
["204.79.197.200","13.107.18.254","117.18.237.29","13.107.21.200","104.16.133.229","35.241.8.149","52.88.91.154","104.17.211.204","209.197.3.15"]

The search gets replaced with the value of the array and fails to run because of '['.

I am stuck here. I would appreciate any help.

Labels (1)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-02-2020 10:30 PM

@vrajshekar

With assumption of DBotAvgScore.Indicator is your dashboard token that contains the array values I have designed search string. Can you please try this? Use this search in your panel.

 source="squid" clientip="xxx" [| makeresults | eval server_ip=replace($DBotAvgScore.Indicator|s$,"\[|\]|\"","") | eval server_ip = split(server_ip,",") | stats count by server_ip | table server_ip] | | stats count by server_ip

Thanks

0 Karma
Reply

vrajshekar
Path Finder
‎06-02-2020 11:18 PM

Below is DBotAvgScore array, that is present in the context data

DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3

0 Karma
Reply

vrajshekar
Path Finder
‎06-02-2020 11:14 PM

Hi @kamlesh_vaghela

I tried this and it did not work, > DBotAvgScore.Indicator is array that is present in the Context data of Demisto.
Splunk Search on demisto threw an error.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-02-2020 11:22 PM

@vrajshekar

Can you please share sample data and xml? So I can help you more on that,

0 Karma
Reply

vrajshekar
Path Finder
‎06-03-2020 05:04 AM

i am unable to share the sample data here for some reason.

0 Karma
Reply

vrajshekar
Path Finder
‎06-03-2020 09:34 AM

@kamlesh_vaghela
Sample data below, hope this helps
DBotAvgScore array, this is available in the context data.

DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3

0 Karma
Reply

vrajshekar
Path Finder
‎06-02-2020 09:10 AM

The error is get is
Error in 'SearchParser': Missing a search command before '"'. Error at position '95' of search query 'search source="squid" clientip="xxxx" serv...{snipped} {errorcontext = er_ip IN(["204.79.197}'.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...