All Apps and Add-ons

Sideview Utils: How to execute a lookup using multiple fields for correlated events?

IngloriousSplun
Communicator

I've implemented event acknowledgements using Sideview Utils and kv store collections. I have one table within my dashboard that is a table of correlated events, meaning I'm using transactions to compare and report on events that are the same across different platforms. The table output is the following:

Sensor1 ID | Sensor2 ID | Sensor1 Time | Sensor2 Time | Sensor1 Signature | Sensor2 Signature Source IP | Destination IP |

Each row also has a checkbox embedded, which when checked executes a lookup to write an acknowledgement to a kv store collection to denote that event has been reviewed.

Since these events are "correlated", meaning the uniqueness is in the fact that its the same event that different sensors have seen, my thought is that when I perform the lookup to do the acknowledgement I need to key on the event ID for both sensors. Unfortunately, I'm not able to get this to work.

This is the code for the panel that doesn't work for correlated events. I've tried removing the spaces, using quotes, etc., but I can't seem to get it to function properly.

<view autoCancelInterval="90" isSticky="False" onunloadCancelJobs="true" template="dashboard.html">
        <label>Testing Sideview</label>

        <module name="AccountBar" layoutPanel="appHeader" />
        <module name="AppBar" layoutPanel="appHeader" />
        <module name="SideviewUtils" layoutPanel="appHeader" />

        <module name="TextField" layoutPanel="panel_row1_col1" autoRun="True">
          <param name="name">wild</param>
          <param name="float">left</param>
          <param name="label">Search</param>
          <param name="default">*</param>

          <module name="Search">
            <param name=”search”>`Test_Correlation_Macro(wild=”$wild$”,span=1h)` | eval Acknowledge="" | lookup myLookup “Sensor1 ID”, “Sensor2 ID” OUTPUT state</param>

            <param name="earliest">-1d</param>
            <param name="latest">now</param>
            <module name="Pager">
              <module name="Table">

                <module name="ValueSetter" group="row.fields.Acknowledge">
                  <param name="name">state</param>
                  <param name="value">$row.fields.state$</param>

                  <module name="Checkbox">
                    <param name="name">state</param>
                    <param name="onValue">ack</param>
                    <param name="offValue"></param>

                     <module name="Search">
                      <param name="search">| inputlookup myLookup | append [stats count | fields - count | eval Sensor1 ID="$row.fields.Sensor1 ID$" | eval Sensor2 ID=”$row.fields.Sensor2 ID$” | eval state="$state$"] | stats last(state) as state by “Sensor1 ID”, “Sensor2 ID” | outputlookup myLookup</param>
                      <module name="CustomBehavior">
                        <param name="requiresDispatch">True</param>
                      </module>
                    </module>
                  </module>
                </module>
              </module>
            </module>
          </module>
        </module>
      </view>

This is the code I'm using for a working panel for non-correlated events:

<view autoCancelInterval="90" isSticky="False" onunloadCancelJobs="true" template="dashboard.html">
        <label>Testing Sideview</label>

        <module name="AccountBar" layoutPanel="appHeader" />
        <module name="AppBar" layoutPanel="appHeader" />
        <module name="SideviewUtils" layoutPanel="appHeader" />

        <module name="TextField" layoutPanel="panel_row1_col1" autoRun="True">
          <param name="name">wild</param>
          <param name="float">left</param>
          <param name="label">Search</param>
          <param name="default">*</param>

          <module name="Search">
            <param name=”search”>`Test_Macro(wild=”$wild$”)` | eval Acknowledge="" | lookup myLookup myIdField OUTPUT state</param>

            <param name="earliest">-1d</param>
            <param name="latest">now</param>
            <module name="Pager">
              <module name="Table">

                <module name="ValueSetter" group="row.fields.Acknowledge">
                  <param name="name">state</param>
                  <param name="value">$row.fields.state$</param>

                  <module name="Checkbox">
                    <param name="name">state</param>
                    <param name="onValue">ack</param>
                    <param name="offValue"></param>

                     <module name="Search">
                      <param name="search">| inputlookup myLookup | append [stats count | fields - count | eval myIdField="$row.fields.myIdField$" | eval state="$state$"] | stats last(state) as state by myIdField | outputlookup myLookup</param>
                      <module name="CustomBehavior">
                        <param name="requiresDispatch">True</param>
                      </module>
                    </module>
                  </module>
                </module>
              </module>
            </module>
          </module>
        </module>
      </view>

I'm think I'm getting confused with something simple. The fields in my kv store collection are _key, Sensor1 ID, Sensor2 ID, myIdField, state. Im using the same kv store collection for both lookups.

Thanks!

0 Karma
1 Solution

IngloriousSplun
Communicator

Figured this out, not sure where I went wrong yesterday. This is the code that worked perfectly for the correlated event acknowledgement:

   <view autoCancelInterval="90" isSticky="False" onunloadCancelJobs="true" template="dashboard.html">
           <label>Testing Sideview</label>

           <module name="AccountBar" layoutPanel="appHeader" />
           <module name="AppBar" layoutPanel="appHeader" />
           <module name="SideviewUtils" layoutPanel="appHeader" />

           <module name="TextField" layoutPanel="panel_row1_col1" autoRun="True">
             <param name="name">wild</param>
             <param name="float">left</param>
             <param name="label">Search</param>
             <param name="default">*</param>

             <module name="Search">
               <param name=”search”>`Test_Correlation_Macro(wild=”$wild$”,span=1h)` | eval Acknowledge="" | lookup myLookup Sensor1_ID, Sensor2_ID OUTPUT state</param>

               <param name="earliest">-1d</param>
               <param name="latest">now</param>
               <module name="Pager">
                 <module name="Table">

                   <module name="ValueSetter" group="row.fields.Acknowledge">
                     <param name="name">state</param>
                     <param name="value">$row.fields.state$</param>

                     <module name="Checkbox">
                       <param name="name">state</param>
                       <param name="onValue">ack</param>
                       <param name="offValue"></param>

                        <module name="Search">
                         <param name="search">| inputlookup myLookup | append [stats count | fields - count | eval Sensor1_ID="$row.fields.Sensor1_ID$" | eval Sensor2_ID=”$row.fields.Sensor2_ID$” | eval state="$state$"] | stats last(state) as state by Sensor1_ID, Sensor2_ID | outputlookup myLookup</param>
                         <module name="CustomBehavior">
                           <param name="requiresDispatch">True</param>
                         </module>
                       </module>
                     </module>
                   </module>
                 </module>
               </module>
             </module>
           </module>
         </view>

View solution in original post

IngloriousSplun
Communicator

Figured this out, not sure where I went wrong yesterday. This is the code that worked perfectly for the correlated event acknowledgement:

   <view autoCancelInterval="90" isSticky="False" onunloadCancelJobs="true" template="dashboard.html">
           <label>Testing Sideview</label>

           <module name="AccountBar" layoutPanel="appHeader" />
           <module name="AppBar" layoutPanel="appHeader" />
           <module name="SideviewUtils" layoutPanel="appHeader" />

           <module name="TextField" layoutPanel="panel_row1_col1" autoRun="True">
             <param name="name">wild</param>
             <param name="float">left</param>
             <param name="label">Search</param>
             <param name="default">*</param>

             <module name="Search">
               <param name=”search”>`Test_Correlation_Macro(wild=”$wild$”,span=1h)` | eval Acknowledge="" | lookup myLookup Sensor1_ID, Sensor2_ID OUTPUT state</param>

               <param name="earliest">-1d</param>
               <param name="latest">now</param>
               <module name="Pager">
                 <module name="Table">

                   <module name="ValueSetter" group="row.fields.Acknowledge">
                     <param name="name">state</param>
                     <param name="value">$row.fields.state$</param>

                     <module name="Checkbox">
                       <param name="name">state</param>
                       <param name="onValue">ack</param>
                       <param name="offValue"></param>

                        <module name="Search">
                         <param name="search">| inputlookup myLookup | append [stats count | fields - count | eval Sensor1_ID="$row.fields.Sensor1_ID$" | eval Sensor2_ID=”$row.fields.Sensor2_ID$” | eval state="$state$"] | stats last(state) as state by Sensor1_ID, Sensor2_ID | outputlookup myLookup</param>
                         <module name="CustomBehavior">
                           <param name="requiresDispatch">True</param>
                         </module>
                       </module>
                     </module>
                   </module>
                 </module>
               </module>
             </module>
           </module>
         </view>

sideview
SplunkTrust
SplunkTrust

I'm glad you beat me to an answer. Was it the space characters in the field names? Not all places in all Splunk commands can tolerate that, and I think the stats by clause might be one of them.

IngloriousSplun
Communicator

Yeah, it seems as though it was the spaces. Interesting thing is that I did try it without spaces before I posted the question, but I guess I just needed fresh eyes.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...