Dashboards & Visualizations

Dashboard Input Accepting Either Hex or Decimal Number

RMartinezDTV
Path Finder

Hi all, I'm going a little crazy with macros trying to get this to work, and I was hoping for some pointers. 🙂

I have a dashboard with a working form input for a customer ID, and I'd like to generalize the dashboard to take the customer ID in either hex or decimal. Right now, I can get one or the other working but not both.

My approach was to create 2 form inputs: one dropdown for HEX/DEC and one text field for the customer ID. The end format for the search is as follows where $convID$ represents either the HEX or DEC value:

sourcetype=x [search sourcetype=x custID=CASE($convID$) | fields transID] | transaction transID

The idea here is to get a list of transactions with the custID and then re-search using transaction command in order to get the Request and Response parts of the transaction. As you probably have guessed, the custID only shows up in the Request portion so a base search for custID=xxx would not work. Also, the custID is always in HEX in the raw log file.

Long story short, I can't seem to use the token value of 1 input field for the token value of a different input. I was thinking I'd set the HEX/DEC input to use $custID$ for the HEX value and my_to_hex($custID$) (as a macro with backticks) for the value of DEC. That way, the text input field exists only to power the HEX/DEC input and the token from that input actually goes into the search (as $convID$ in the final search above).

My "to hex" macro is: replace(tostring("".tostring($subid$, "hex").""),"x","") which I couldn't seem to simplify even though it looks ugly.

0 Karma

somesoni2
Revered Legend

Try something like this (run anywhere sample)

<form>
  <label>Test</label>
  <description/>
  <fieldset submitButton="false">
    <input type="dropdown" token="inputtype" searchWhenChanged="true">
      <label>Input Type</label>
      <choice value="hex">HEX</choice>
      <choice value="decimal">DECIMAL</choice>
      <default>hex</default>
    </input>
    <input type="text" token="input">
      <label>Input</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Output</title>
        <searchString>| gentimes start=-1 | eval Input="$input$" | eval Output=if("$inputtype$"="hex","$input$", replace(tostring("".tostring($input$, "hex").""),"x","")) | table Input Output</searchString>
        <earliestTime>0</earliestTime>
        <latestTime/>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

RMartinezDTV
Path Finder

This example works standalone but I've had a heck of a time integrating it. The general problem is that I need the "Output" (converted) value to be present in the original search string (sourcetype=xx custID=Output), and placing the eval prior to the initial search command doesn't work. Trying to resolve it in-line (e.g. custID=if($inputtype$....) doesn't work either syntactically.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...