Re: Building an Advanced View with Dropdown Menus

mawwx3 · ‎07-22-2010

I am trying to create a custom view to enable a user to select a category that drives a search to produce results with the ammap feature. The events I am dealing with are with proxy logs and I want to be able to select observed or denied from the dropdown. I attempted to do this with the simplified view codes but couldn't make it work. Here is what I have for the xml view code:

<view onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Sample search</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="HiddenSearch" layoutPanel="mainSearchControls">
    <param name="search"> index="foo"  filter="$Filter Result$" | rename foo_ip as "ip"| search ip!=192.168* ip!=0.0.* ip!=10.* | stats count by ip | eval count_label="Event" | eval iterator="ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="filtered_data.xml" | eval app="FOOBAR" | lookup geoip clientip as ip | mapit</param>
    <param name="earliest">-2m</param>
    <param name="latest">-0m</param>
    <module name="StaticSelect">
      <param name="settingToCreate">Filter Result</param>
      <param name="label">Filter</param>
      <param name="staticFieldsToDisplay">
        <list>
          <param name="label">Any</param>
          <param name="value">*</param>
        </list>
        <list>
          <param name="label">OBSERVED</param>
          <param name="value">OBSERVED</param>
        </list>
        <list>
          <param name="label">DENIED</param>
          <param name="value">DENIED</param>
        </list>
  </param>
  <module name="ConvertToIntention">
    <param name="settingToConvert">Filter Result</param>
    <param name="intention">
      <param name="name">addterm</param>
      <param name="arg">
        <param name="Filter Result">$Filter Result$</param>
      </param>
    </param>
  </module>
</module>
<module name="ServerSideInclude" >
  <param name="src">filtered_map.html</param>
</module>
 </module>
</view>

I have tried to make this work, but I am still learning how to apply the advanced xml code. Any help would be appreciated.

thall79 · ‎07-26-2010

I have not had any experience using the Ammap app, but I did play with the way your StaticSelect was feeding the HiddenSearch and was able to get some results using either an EventsViewer or SimpleResultsTable. Of course I didn't have the same index and other search terms but I tried to edit the xml to work with your setup. Hope this can help

Travis.

 <view onunloadCancelJobs="False" autoCancelInterval="100">  
 <!--  autoCancelInterval is set here to 100  -->  
 <label>Sample search</label>  
 <module name="AccountBar" layoutPanel="appHeader"/>  
 <module name="AppBar" layoutPanel="navigationHeader"/>  
 <module name="Message" layoutPanel="messaging">    
 <param name="filter">*</param>   
 <param name="clearOnJobDispatch">False</param>  
 <param name="maxSize">1</param>
 </module>

 <module name="StaticSelect" layoutPanel="mainSearchControls">
 <param name="settingToCreate">Filter Result</param>
 <param name="label">Filter</param>
 <param name="selected">All</param>
 <param name="searchWhenChanged">True</param>
 <param name="staticFieldsToDisplay">
  <list>          
  <param name="label">Any</param>         
  <param name="value">*</param>       
 </list>       
  <list>          
  <param name="label">OBSERVED</param>         
  <param name="value">OBSERVED</param>        
 </list>     
  <list>          
  <param name="label">DENIED</param>        
  <param name="value">DENIED</param>        
 </list> 
 </param>

 <module name="ConvertToIntention">    
 <param name="settingToConvert">Filter Result</param>   
 <param name="intention">
 <param name="name">stringreplace</param>
 <param name="arg"> 
 <param name="filter">
 <param name="value">$target$</param>
 </param>
 </param>
 </param>

 <module name="HiddenSearch">
 <param name="search"> index="foo" $filter$ | rename foo_ip as "ip"| search ip!=192.168* ip!=0.0.* ip!=10.* | stats count by ip | eval count_label="Event" | eval iterator="ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="filtered_data.xml" | eval app="FOOBAR" | lookup geoip clientip as ip | mapit</param>    
 <param name="earliest">-2m</param>   
 <param name="latest">-0m</param>  

 <module name="EventsViewer" layoutPanel="resultsAreaLeft">

 </module>
 </module>
 </module>
 </module>
 <module name="ServerSideInclude" layoutPanel="resultsAreaLeft">
 <param name="src">filtered_map.html</param>
 </module>
 </view>

thall79 · ‎07-29-2010

I double checked my theory and was able to generate info and pushed results to an EventsViewer. Not sure how it will work with the ServerSideInclude. Question did you try the XML I provided or did you change some of it? Do you still have the Module EventsViewer or SimpleResultsTable following the HiddenSearch? Post the XML if you did happen to change anything. Travis.

mawwx3 · ‎07-28-2010

I still get this error when I open the page: This view has a Splunk.Module.HiddenSearch module but it is configured with no child modules to push its changes to. This represents a configuration error.

kartik13 · ‎04-13-2015

How did you resolve this issue ?

mawwx3 · ‎07-26-2010

Yes, I get the following when I go to the view:

This view has a Splunk.Module.ConvertToIntention module but it is configured with no child modules to push its changes to. This represents a configuration error.

thall79 · ‎07-26-2010

Are you recieving any errors? Travis.

Building an Advanced View with Dropdown Menus

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?