I have a $token$ with value 192.168.25.2. How do I perform a query for all addresses that have 192.168.25.* excluding 192.168.25.2?
@burchl
Can you please try this XML?
This Dashboard will show you sample data panel and token value in other HTML panel. You can chanege eval
token logic as per your requirement, Try and let me know.
<form>
<label>IP Token</label>
<fieldset submitButton="false">
<input type="text" token="token">
<label>IP</label>
<change>
<eval token="filter">replace($value$,"(?<=\.)[^.]*$","")</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<title>My Sample Data</title>
<search>
<query>| makeresults | eval IP="192.168.25.2,192.168.25.1,192.168.25.3,192.168.25.4" | eval IP=split(IP,",") | mvexpand IP</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
My Token Value: $token$ <br/>
My Passed Value: $filter$ <br/>
</html>
<table>
<title>My Result</title>
<search>
<query>| makeresults | eval IP="192.168.25.2,192.168.25.1,192.168.25.3,192.168.25.4" | eval IP=split(IP,",") | mvexpand IP | eval comment="Up to this your search" | search IP=$filter$* AND IP!=$token$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Note:
1) eval statements changed in this answer. make sure eval token filter would be the <eval token="filter">replace($value$,"(?<=\.)[^.]*$","")</eval>
.
2) html panel would be like
My Token Value: $token$ <br/>
My Passed Value: $filter$ <br/>
</html>
Thanks
$token$ is set from form input. I can't share the code unfortunately. I will try your instructions.
Is the input dropdown or textbox or something else?
If you can mock/anonymize information and provide more details that would be great. However, we can also try with some questions to see what is best applicable.
You can do something like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo [|makeresults | eval host="$token$" | rex field=host mode=sed "s/\.[^\.]+$/*/"]
@burchl how is $token$
set? Is it coming from any form input. Can you share the code?
Also what is the SPL where you want to apply required filter?
try something like this:
|eval matchstring=if(match(ip_field,replace($token|s$,"(?<=\.)[^.]*$","")),ip_field,null())|where isnotnull(matchfield)
Hi @burchl
Please try below query
index="_internal"
| eval ip ="192.168.56.5"
| where clientip !=ip
| rex field=ip mode=sed "s/(\d{1,3}$)/%/g"
| stats values(clientip) as test by ip
| mvexpand test| where like (test,ip)
| table test
Here it eliminates 192.168.56.5 and searches 192.168.56.*