Re: Query substring of value stored in token

burchl · ‎01-11-2019

I have a $token$ with value 192.168.25.2. How do I perform a query for all addresses that have 192.168.25.* excluding 192.168.25.2?

kamlesh_vaghela · ‎01-13-2019

@burchl

Can you please try this XML?

This Dashboard will show you sample data panel and token value in other HTML panel. You can chanege eval token logic as per your requirement, Try and let me know.

<form>
  <label>IP Token</label>
  <fieldset submitButton="false">
    <input type="text" token="token">
      <label>IP</label>
      <change>
                <eval token="filter">replace($value$,"(?<=\.)[^.]*$","")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>My Sample Data</title>
        <search>
          <query>| makeresults | eval IP="192.168.25.2,192.168.25.1,192.168.25.3,192.168.25.4" | eval IP=split(IP,",") | mvexpand IP</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        My Token Value:  $token$ &lt;br/&gt;
        My Passed Value: $filter$ &lt;br/&gt;
      </html>
      <table>
        <title>My Result</title>
        <search>
          <query>| makeresults | eval IP="192.168.25.2,192.168.25.1,192.168.25.3,192.168.25.4" | eval IP=split(IP,",") | mvexpand IP | eval comment="Up to this your search" | search IP=$filter$* AND IP!=$token$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Note:

1) eval statements changed in this answer. make sure eval token filter would be the <eval token="filter">replace($value$,"(?<=\.)[^.]*$","")</eval>.

2) html panel would be like My Token Value: $token$ <br/> My Passed Value: $filter$ <br/> </html>

Thanks

burchl · ‎01-11-2019

$token$ is set from form input. I can't share the code unfortunately. I will try your instructions.

niketn · ‎01-11-2019

Is the input dropdown or textbox or something else?
If you can mock/anonymize information and provide more details that would be great. However, we can also try with some questions to see what is best applicable.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎01-11-2019

You can do something like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo [|makeresults | eval host="$token$" | rex field=host mode=sed "s/\.[^\.]+$/*/"]

niketn · ‎01-11-2019

@burchl how is $token$ set? Is it coming from any form input. Can you share the code?
Also what is the SPL where you want to apply required filter?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

cmerriman · ‎01-11-2019

try something like this:

|eval matchstring=if(match(ip_field,replace($token|s$,"(?<=\.)[^.]*$","")),ip_field,null())|where isnotnull(matchfield)

vnravikumar · ‎01-11-2019

Hi @burchl

Please try below query

index="_internal" 
| eval ip ="192.168.56.5" 
| where clientip !=ip 
| rex field=ip mode=sed "s/(\d{1,3}$)/%/g" 
| stats values(clientip) as test by ip
| mvexpand test| where like (test,ip) 
| table test

Here it eliminates 192.168.56.5 and searches 192.168.56.*

Query substring of value stored in token

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!