All Apps and Add-ons

Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run.

vrajshekar
Path Finder

I have integrated Splunk with Demisto. I am trying to run the below search from Demisto:

source="squid" clientip="xxx" | where server_ip IN(${DBotAvgScore.Indicator}) | stats count by server_ip
DBotAvgScore.Indicator is an array that contains the below values
["204.79.197.200","13.107.18.254","117.18.237.29","13.107.21.200","104.16.133.229","35.241.8.149","52.88.91.154","104.17.211.204","209.197.3.15"]

The search gets replaced with the value of the array and fails to run because of '['.

I am stuck here. I would appreciate any help.

Labels (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vrajshekar

With assumption of DBotAvgScore.Indicator is your dashboard token that contains the array values I have designed search string. Can you please try this? Use this search in your panel.

 source="squid" clientip="xxx" [| makeresults | eval server_ip=replace($DBotAvgScore.Indicator|s$,"\[|\]|\"","") | eval server_ip = split(server_ip,",") | stats count by server_ip | table server_ip] | | stats count by server_ip

Thanks

0 Karma

vrajshekar
Path Finder

Below is DBotAvgScore array, that is present in the context data

DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3

0 Karma

vrajshekar
Path Finder

Hi @kamlesh_vaghela

I tried this and it did not work, > DBotAvgScore.Indicator is array that is present in the Context data of Demisto.
Splunk Search on demisto threw an error.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vrajshekar

Can you please share sample data and xml? So I can help you more on that,

0 Karma

vrajshekar
Path Finder

i am unable to share the sample data here for some reason.

0 Karma

vrajshekar
Path Finder

@kamlesh_vaghela
Sample data below, hope this helps
DBotAvgScore array, this is available in the context data.

DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3

0 Karma

vrajshekar
Path Finder

The error is get is
Error in 'SearchParser': Missing a search command before '"'. Error at position '95' of search query 'search source="squid" clientip="xxxx" serv...{snipped} {errorcontext = er_ip IN(["204.79.197}'.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...