I have integrated Splunk with Demisto. I am trying to run the below search from Demisto:
source="squid" clientip="xxx" | where server_ip IN(${DBotAvgScore.Indicator}) | stats count by server_ip
DBotAvgScore.Indicator is an array that contains the below values
["204.79.197.200","13.107.18.254","117.18.237.29","13.107.21.200","104.16.133.229","35.241.8.149","52.88.91.154","104.17.211.204","209.197.3.15"]
The search gets replaced with the value of the array and fails to run because of '['.
I am stuck here. I would appreciate any help.
@vrajshekar
With assumption of DBotAvgScore.Indicator
is your dashboard token that contains the array values I have designed search string. Can you please try this? Use this search in your panel.
source="squid" clientip="xxx" [| makeresults | eval server_ip=replace($DBotAvgScore.Indicator|s$,"\[|\]|\"","") | eval server_ip = split(server_ip,",") | stats count by server_ip | table server_ip] | | stats count by server_ip
Thanks
Below is DBotAvgScore array, that is present in the context data
DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3
Hi @kamlesh_vaghela
I tried this and it did not work, > DBotAvgScore.Indicator is array that is present in the Context data of Demisto.
Splunk Search on demisto threw an error.
@vrajshekar
Can you please share sample data and xml? So I can help you more on that,
i am unable to share the sample data here for some reason.
@kamlesh_vaghela
Sample data below, hope this helps
DBotAvgScore array, this is available in the context data.
DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3
The error is get is
Error in 'SearchParser': Missing a search command before '"'. Error at position '95' of search query 'search source="squid" clientip="xxxx" serv...{snipped} {errorcontext = er_ip IN(["204.79.197}'.