Hi,
I have created a dashboard where I can save queries by entering it in the input field. It works fine when I enter a simple query:
sourcetype = WinEventLog EventCode = 4624 | stats count (EventCode) by host
When I run the following query I get the error below:
sourcetype="pan:traffic" user!="xxxx" earliest=-14d
| bucket _time span=5m
| stats sum(bytes_out) by user, _time
| anomalydetection "sum(bytes_out)" "user" action=annotate
| eval isOutlier = if(probable_cause != "", "1", "0")
| where isOutlier=1
| table "sum(bytes_out)" "user", "_time", probable_cause, isOutlier
| stats count by user
| sort -count
| head 20
How can I escape the query in way that I can save it in the lookup file. Or are there better ways to save a query in a dashboard?
dashboard:
<form>
<label>Threat Hunting Query</label>
<search>
<query>| makeresults
| eval Panel=$tokPanel|s$
</query>
<done>
<condition match="$result.Panel$=="1"">
<set token="tokPanelSelected">1</set>
<set token="pan1"></set>
<unset token="pan2"></unset>
</condition>
<condition match="$result.Panel$=="2"">
<set token="pan2"></set>
<unset token="pan1"></unset>
<set token="tokPanelSelected">2</set>
</condition>
<condition>
<unset token="tokPanelSelected"></unset>
</condition>
</done>
</search>
<fieldset submitButton="true">
<input type="text" searchWhenChanged="false" token="discription_query">
<label>Omschrijving query:</label>
<default></default>
</input>
<input type="text" token="query">
<label>Query:</label>
<default></default>
</input>
<input type="text" token="user">
<label>Naam:</label>
<default></default>
</input>
<input type="dropdown" token="tokPanel" searchWhenChanged="false">
<label></label>
<choice value="1">Toevoegen</choice>
<choice value="2">Verwijderen</choice>
<default>Kies toevoegen of verwijderen</default>
</input>
</fieldset>
<row>
<panel depends="$pan1$">
<title>Query is toegevoegd/add query</title>
<table>
<search>
<query>
<![CDATA[ | inputlookup threat_hunting.csv | append [ | stats count | eval query_discription="$discription_query$" | eval query_q="$query$" | lookup dnslookup clientip As src OUTPUT clienthost AS src_host | lookup dnslookup clientip As dest OUTPUT clienthost AS dest_host | stats count(src) by src src_host | eval tnow=strftime(now(), "%a %m/%d/%Y %H:%M") | eval user="$user$" | eval id=100 ] | stats count by query_discription query_q id tnow user| fields query_discription query_q id tnow user | outputlookup threat_hunting.csv ]]>
</query>
</search>
</table>
</panel>
<panel depends="$pan2$">
<title>Query is verwijderd/delete query</title>
<table>
<search>
<query>
| inputlookup threat_hunting.csv | stats count by query_discription query_q id tnow user | fields - count | where query_discription !="$discription_query$" | outputlookup threat_hunting.csv
</query>
</search>
</table>
</panel>
</row>
</form>
1 Solution
