Archive

Feed token to a new Daskbard

New Member

Hello,
I have an issue with getting token into a new dashboard. I build a dashboard for VPN connections. Here is the search for the main dashboard.

index=cisco-ise eventtype="cisco-ise"  NAS_Port_Type=Virtual  Location="Location#All Locations#bs HCS Domain#*" MESSAGE_CLASS="Passed-Authentication" OR MESSAGE_CLASS="Radius-Accounting"     SelectedAccessService="VPN Access Protocols"   Acct_Status_Type=Stop 
| dedup CPMSessionID user
| eval LogoutTime = strftime(_time, "%d.%m.%Y  %H:%M:%S")
| eval LoginTime = strftime((_time-Acct_Session_Time), "%d.%m.%Y  %H:%M:%S")
| eval Acct_Input_Octets = round(((Acct_Input_Octets/1024)/1024),3)
| eval Acct_Output_Octets = round(((Acct_Output_Octets/1024)/1024),3)
| eval Acct_Session_Time = tostring(Acct_Session_Time, "duration")
| table  LoginTime LogoutTime user Calling_Station_ID Framed_IP_Address  Acct_Input_Octets Acct_Output_Octets  Acct_Session_Time Acct_Terminate_Cause
| rename  user as "Username" Framed_IP_Address as "VPN Client IP Address" Acct_Input_Octets as "MBytes Sent" Acct_Output_Octets as "MBytes Received" Acct_Session_Time as "Duration" Acct_Terminate_Cause as "Logout Reason" Calling_Station_ID as "VPN Client Public IP" LogoutTime as "Logout" LoginTime as "Login"

The result is table, the idea is when clicking on one line of the table another Dashboard shows up with the connections the VPN client established in the time range where he was connected to the VPN.
I could manage to pass the source IP to the new Dashboard and it shows all the connections for the IP address. I'd like to limit it to the time where the client actually were connected.

Here is the drilldown section of the first dashboard

        <drilldown>
          <link target="_self">/app/search/vpn_connectivity_details?src_ip=$row.VPN Client IP Address$&amp;login=$row.Login$&amp;logout=$row.Logout$</link>
        </drilldown>

When clicking I get an invalid earliest_time message on the second dashboard
Here is the source code for the target dashboard

<dashboard>
  <label>VPN Connectivity Details</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=cisco-asa eventtype=cisco_connection src_ip=$src_ip$
| table _time src_ip dest_ip src_port dest_port transport bytes_in action</query>
          <earliest>$login$</earliest>
          <latest>$logout$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

I guess it has something to with the strtime format of my login and logout Table row. Is there a way to convert it back to a appropriate time format on the fly?

Any ideas are appreciated.

thanks
Alex

Tags (1)
0 Karma

The problem is with the format in which the time is being passed to the target dashboard. You should inform the target dashboard search to read in specific time-format

You can do this using timeformat parameter

if the value passed in your case is something like this 2018-05-14T11:26:33.416+05:30 and your format will be %Y-%m-%dT%H:%M:%S.%Q%Z.
Refer here for wildcards..

And try this..

<search>
           <query>index=cisco-asa eventtype=cisco_connection  timeformat=%Y-%m-%dT%H:%M:%S.%Q%Z src_ip=$src_ip$
 | table _time src_ip dest_ip src_port dest_port transport bytes_in action</query>
           <earliest>$login$</earliest>
           <latest>$logout$</latest>
           <sampleRatio>1</sampleRatio>
         </search>

If that doesn't works.. try this..

<search>
            <query>index=cisco-asa eventtype=cisco_connection  timeformat=%Y-%m-%dT%H:%M:%S.%Q%Z earliest=$login$ latest=$logout$ src_ip=$src_ip$
  | table _time src_ip dest_ip src_port dest_port transport bytes_in action</query>
            <sampleRatio>1</sampleRatio>
          </search>
0 Karma

SplunkTrust
SplunkTrust

@dersa, in the source Dashboard change the following eval to

| eval LogoutTime = strftime(time, "%d.%m.%Y %H:%M:%S")
| eval LoginTime = strftime((
time-AcctSessionTime), "%d.%m.%Y %H:%M:%S")

to fieldformat and test the drilldown:

| fieldformat LogoutTime = strftime(time, "%d.%m.%Y %H:%M:%S")
| fieldformat LoginTime = strftime((
time-AcctSessionTime), "%d.%m.%Y %H:%M:%S")
You need to pass-on the Time fields as epoch time not string time. Fieldformat displays the time values as String Time while retaining underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"