Archive
Highlighted

Query substring of value stored in token

New Member

I have a $token$ with value 192.168.25.2. How do I perform a query for all addresses that have 192.168.25.* excluding 192.168.25.2?

Tags (1)
0 Karma
Highlighted

Re: Query substring of value stored in token

Champion

Hi @burchl

Please try below query

index="_internal" 
| eval ip ="192.168.56.5" 
| where clientip !=ip 
| rex field=ip mode=sed "s/(\d{1,3}$)/%/g" 
| stats values(clientip) as test by ip
| mvexpand test| where like (test,ip) 
| table test

Here it eliminates 192.168.56.5 and searches 192.168.56.*

0 Karma
Highlighted

Re: Query substring of value stored in token

Super Champion

try something like this:

|eval matchstring=if(match(ip_field,replace($token|s$,"(?<=\.)[^.]*$","")),ip_field,null())|where isnotnull(matchfield)
0 Karma
Highlighted

Re: Query substring of value stored in token

Legend

@burchl how is $token$ set? Is it coming from any form input. Can you share the code?
Also what is the SPL where you want to apply required filter?




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Query substring of value stored in token

Esteemed Legend

You can do something like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo [|makeresults | eval host="$token$" | rex field=host mode=sed "s/\.[^\.]+$/*/"]
0 Karma
Highlighted

Re: Query substring of value stored in token

New Member

$token$ is set from form input. I can't share the code unfortunately. I will try your instructions.

0 Karma
Highlighted

Re: Query substring of value stored in token

Legend

Is the input dropdown or textbox or something else?
If you can mock/anonymize information and provide more details that would be great. However, we can also try with some questions to see what is best applicable.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Query substring of value stored in token

SplunkTrust
SplunkTrust

@burchl

Can you please try this XML?

This Dashboard will show you sample data panel and token value in other HTML panel. You can chanege eval token logic as per your requirement, Try and let me know.

<form>
  <label>IP Token</label>
  <fieldset submitButton="false">
    <input type="text" token="token">
      <label>IP</label>
      <change>
                <eval token="filter">replace($value$,"(?<=\.)[^.]*$","")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>My Sample Data</title>
        <search>
          <query>| makeresults | eval IP="192.168.25.2,192.168.25.1,192.168.25.3,192.168.25.4" | eval IP=split(IP,",") | mvexpand IP</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        My Token Value:  $token$ &lt;br/&gt;
        My Passed Value: $filter$ &lt;br/&gt;
      </html>
      <table>
        <title>My Result</title>
        <search>
          <query>| makeresults | eval IP="192.168.25.2,192.168.25.1,192.168.25.3,192.168.25.4" | eval IP=split(IP,",") | mvexpand IP | eval comment="Up to this your search" | search IP=$filter$* AND IP!=$token$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Note:

1) eval statements changed in this answer. make sure eval token filter would be the <eval token="filter">replace($value$,"(?&lt;=\.)[^.]*$","")</eval>.

2) html panel would be like
My Token Value: $token$ &lt;br/&gt;
My Passed Value: $filter$ &lt;br/&gt;
</html>

Thanks

0 Karma