All Apps and Add-ons

Hey dwaddle!! Please read this question one more time - How can i changed query in xml (eval ip_addr="\"".ip_addr."\"")

ilove275
Path Finder

This query is successively executed in Search bar. But It is not work in dashboard.
eval ip_addr="\"".ip_addr."\"" =>> How can i changed query in xml

i try to change that
eval ip_addr="\"".ip_addr."\"" => eval ip_addr="\"& quot;.ip_addr."\"& quot;

eval ip_addr="\"".ip_addr."\"" => eval ip_addr=& quot;\& quot;& quot;.ip_addr.& quot;\& quot;& quot;

index="01_firewall" sourcetype="01_firewall"
[search index=webping | rename ping_url as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
| fields SourceIP DestinationIP Count Action PacketSize

        | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
        | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
        | ***eval ip_addr="\"".ip_addr."\""*** | rename ip_addr as search]

        | search 
        | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
        |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize

=============================== dashboard xml==================================

<view template="dashboard.html">
  <module name="SideviewUtils" layoutPanel="appHeader" />
  <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="search">index=webping sourcetype=webping | timechart span=2m avg(time_in_ms) as avg by ping_url | fields - OTHER</param>
    <param name="earliest">-1h</param>

    <module name="HiddenChartFormatter">
      <param name="charting.chart">line</param>

      <module name="JobProgressIndicator"/>

      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">160px</param>
        <param name="enableResize">False</param>
    <!-- ==================================== ======================================================================================== -->
        <module name="Search">
          <param name="search">index="01_firewall" sourcetype="01_firewall" 
  [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
  | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search] 
  | fields SourceIP DestinationIP Count Action PacketSize 

  | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
  | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
  | eval ip_addr="\"".ip_addr."\"" | rename ip_addr as search]

  | search 
  | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
  |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
          </param>
          <param name="earliest">-15m</param>
          <module name="ConvertToIntention" layoutPanel="panel_row2_col2" group="Fire Wall">
            <param name="intention">
              <param name="name">stringreplace</param>
              <param name="arg">
                <param name="url">
                  <param name = "value">$click.name2$</param>
                </param>
              </param>
              <param name="flags"><list>indexed</list></param>
            </param>
            <module name="JobProgressIndicator"></module>
            <module name="SimpleResultsTable">
              <param name="count">20</param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>
0 Karma

sideview
SplunkTrust
SplunkTrust

I think the only problem is that you're using Sideview modules, but then you're still trying to use intentions. Sideview's Search module will do its own $foo$ replacement, and after that your stringreplace intention will have nowhere to go.

Fix is surprisingly simple.

1) Dont use the ConvertToIntention module at all. Delete it.

2) Just put $click.name2$ directly into the Search - dont use $url$ at all.

Here's a copy of the cleaned up XML.

<view template="dashboard.html">
  <module name="SideviewUtils" layoutPanel="appHeader" />
  <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="search">index=webping sourcetype=webping | timechart span=2m avg(time_in_ms) as avg by ping_url | fields - OTHER</param>
    <param name="earliest">-1h</param>

    <module name="JobProgressIndicator"/>

    <module name="HiddenChartFormatter">
      <param name="charting.chart">line</param>

      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">160px</param>
        <param name="enableResize">False</param>

        <module name="Search">
          <param name="search">index="01_firewall" sourcetype="01_firewall" 
  [search index=webping | rename ping_url as url| dedup url| fields url| search $click.name2$ 
  | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search] 
  | fields SourceIP DestinationIP Count Action PacketSize 

  | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
  | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
  | eval ip_addr="\"".ip_addr."\"" | rename ip_addr as search]

  | search 
  | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
  |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
          </param>
          <param name="earliest">-15m</param>

          <module name="JobProgressIndicator"></module>

          <module name="SimpleResultsTable">
            <param name="count">20</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>

I have some other suggestions about your searches, although that's not what you're asking about --
Extra1: You might want to also rewrite your search that begins with:

[search index=webping | rename ping_url as url| dedup url| fields url| search $click.name2$

as

[search index=webping $click.name2$ | rename ping_url as url| dedup url| fields url

as this will have considerably better performance. The first version gets everything off disk and only then filters based on the searchterms. Actually if you're using a relatively recent 2.2.X version of Sideview Utils you can just use $click.searchTerms$ instead of $click.name2$

Bonus2: You may also want to think about rewriting this:

search index=webping $click.name2$ | rename ping_url as url| dedup url| fields url
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]

as something more like:

search (index="webping" $click.searchTerms$ ) OR ( index="lookup" sourcetype="url_info" | stats last(ip_addr) as ip_addr by url | rename ip_addr as search

because as a disjunction it'll give you much better performance than join and you wont hit limits in number of rows or length of execution.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

This stumps me. I've tried using your dashboard here on my test box, and I can't even get both panels to display. It might just be that I don't have the data to drive the drilldown or something. But, I'm just not sure if your view XML is 'correct'. For now, let's assume that it is, and the only problem is with your search.

As you know, certain characters are special to XML, and it gets fussy about using them in a general sense in the document. XML provides a special tag called CDATA that basically says "until you see the special end-of-CDATA sequence, anything goes. Treat it all as plain text and do not attempt to further parse." Lots of complex Splunk searches need to be wrapped in CDATA to work in the XML views.

Gkanapathy gives a simple example at http://splunk-base.splunk.com/answers/3435/escape-and-in-the-xml-of-dashboards but the basics of it are

<![CDATA[  --your search goes here-- ]]>

Try wrapping your search with CDATA tags and see if that makes it work. If not, I would highly suspect the design of your view.

lanying
Explorer

Now, Dashboard xml appended.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Can you post the XML from your dashboard / view where it contains your search?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...