Dashboards & Visualizations

Dashboard to save spl queries



I have created a dashboard where I can save queries by entering it in the input field. It works fine when I enter a simple query: 



sourcetype = WinEventLog EventCode = 4624 | stats count (EventCode) by host



When I run the following query I get the error below: 



sourcetype="pan:traffic" user!="xxxx" earliest=-14d
| bucket _time span=5m
| stats sum(bytes_out) by user, _time
| anomalydetection "sum(bytes_out)" "user" action=annotate
| eval isOutlier = if(probable_cause != "", "1", "0")
| where isOutlier=1
| table "sum(bytes_out)" "user", "_time", probable_cause, isOutlier
| stats count by user
| sort -count
| head 20





How can I escape the query in way that I can save it in the lookup file. Or are there better ways to save a query in a dashboard?


  <label>Threat Hunting Query</label>
    <query>| makeresults
| eval Panel=$tokPanel|s$
      <condition match="$result.Panel$==&quot;1&quot;">
        <set token="tokPanelSelected">1</set>
        <set token="pan1"></set>
        <unset token="pan2"></unset>
      <condition match="$result.Panel$==&quot;2&quot;">
        <set token="pan2"></set>
        <unset token="pan1"></unset>
        <set token="tokPanelSelected">2</set>
        <unset token="tokPanelSelected"></unset>
  <fieldset submitButton="true">
    <input type="text" searchWhenChanged="false" token="discription_query">
      <label>Omschrijving query:</label>
    <input type="text" token="query"> 
    <input type="text" token="user">
    <input type="dropdown" token="tokPanel" searchWhenChanged="false">
      <choice value="1">Toevoegen</choice>
      <choice value="2">Verwijderen</choice>
      <default>Kies toevoegen of verwijderen</default>
    <panel depends="$pan1$">
      <title>Query is toegevoegd/add query</title>
            <![CDATA[ | inputlookup threat_hunting.csv | append [ | stats count | eval query_discription="$discription_query$" | eval query_q="$query$" | lookup dnslookup clientip As src OUTPUT clienthost AS src_host  |  lookup dnslookup clientip As dest OUTPUT clienthost AS dest_host  | stats count(src) by src src_host | eval tnow=strftime(now(), "%a %m/%d/%Y %H:%M") | eval user="$user$" | eval id=100 ] | stats count by query_discription query_q id tnow user| fields query_discription query_q id tnow user | outputlookup threat_hunting.csv ]]>
    <panel depends="$pan2$">
      <title>Query is verwijderd/delete query</title>
            | inputlookup threat_hunting.csv | stats count by query_discription query_q id tnow user | fields - count | where query_discription !="$discription_query$" | outputlookup threat_hunting.csv


Labels (2)
0 Karma
1 Solution


I do not know why, probably a refresh of the page but it works now!! Thanks 🙂

View solution in original post

0 Karma


I tried that and I still get the same error. I have also tried the other way (see https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters) but no luck there either.

0 Karma


Have you tried 

eval query_q="$query|s$"

to escape the quotes in the token? 

0 Karma


I have also tried the other way (see https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters) but no luck there either.

0 Karma


What does your xml look like now?

What does the CDATA do for you?

0 Karma


I do not know why, probably a refresh of the page but it works now!! Thanks 🙂

0 Karma

Ultra Champion
    <query>| makeresults
| eval Panel="$tokPanel|s$"

$tokPanel$ 's token has space on default value.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...