Dashboards & Visualizations

Dashboard to save spl queries

BP26
Explorer

Hi,

I have created a dashboard where I can save queries by entering it in the input field. It works fine when I enter a simple query: 

 

 

sourcetype = WinEventLog EventCode = 4624 | stats count (EventCode) by host

 

 

When I run the following query I get the error below: 

 

 

sourcetype="pan:traffic" user!="xxxx" earliest=-14d
| bucket _time span=5m
| stats sum(bytes_out) by user, _time
| anomalydetection "sum(bytes_out)" "user" action=annotate
| eval isOutlier = if(probable_cause != "", "1", "0")
| where isOutlier=1
| table "sum(bytes_out)" "user", "_time", probable_cause, isOutlier
| stats count by user
| sort -count
| head 20

 

 

 

Capture.PNG

How can I escape the query in way that I can save it in the lookup file. Or are there better ways to save a query in a dashboard?
dashboard:

 

<form>
  <label>Threat Hunting Query</label>
   <search>
    <query>| makeresults
| eval Panel=$tokPanel|s$
    </query>
    <done>
      <condition match="$result.Panel$==&quot;1&quot;">
        <set token="tokPanelSelected">1</set>
        <set token="pan1"></set>
        <unset token="pan2"></unset>
      </condition>
      <condition match="$result.Panel$==&quot;2&quot;">
        <set token="pan2"></set>
        <unset token="pan1"></unset>
        <set token="tokPanelSelected">2</set>
      </condition>
      <condition>
        <unset token="tokPanelSelected"></unset>
      </condition>
    </done>
  </search>
  <fieldset submitButton="true">
    <input type="text" searchWhenChanged="false" token="discription_query">
      <label>Omschrijving query:</label>
      <default></default>
    </input>
    <input type="text" token="query"> 
      <label>Query:</label>
      <default></default>
    </input>
    <input type="text" token="user">
      <label>Naam:</label>
      <default></default>
    </input>
    <input type="dropdown" token="tokPanel" searchWhenChanged="false">
      <label></label>
      <choice value="1">Toevoegen</choice>
      <choice value="2">Verwijderen</choice>
      <default>Kies toevoegen of verwijderen</default>
    </input>
  </fieldset>
  <row>
    <panel depends="$pan1$">
      <title>Query is toegevoegd/add query</title>
      <table>
        <search>
          <query>
            <![CDATA[ | inputlookup threat_hunting.csv | append [ | stats count | eval query_discription="$discription_query$" | eval query_q="$query$" | lookup dnslookup clientip As src OUTPUT clienthost AS src_host  |  lookup dnslookup clientip As dest OUTPUT clienthost AS dest_host  | stats count(src) by src src_host | eval tnow=strftime(now(), "%a %m/%d/%Y %H:%M") | eval user="$user$" | eval id=100 ] | stats count by query_discription query_q id tnow user| fields query_discription query_q id tnow user | outputlookup threat_hunting.csv ]]>
          </query>
        </search>
      </table>
    </panel>
    <panel depends="$pan2$">
      <title>Query is verwijderd/delete query</title>
      <table>
        <search>
          <query>
            | inputlookup threat_hunting.csv | stats count by query_discription query_q id tnow user | fields - count | where query_discription !="$discription_query$" | outputlookup threat_hunting.csv
          </query>
        </search>
      </table>
    </panel>
  </row>
</form>

 

Labels (2)
0 Karma
1 Solution

BP26
Explorer

I do not know why, probably a refresh of the page but it works now!! Thanks 🙂

View solution in original post

0 Karma

BP26
Explorer

I tried that and I still get the same error. I have also tried the other way (see https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters) but no luck there either.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried 

eval query_q="$query|s$"

to escape the quotes in the token? 

0 Karma

BP26
Explorer

I have also tried the other way (see https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters) but no luck there either.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What does your xml look like now?

What does the CDATA do for you?

0 Karma

BP26
Explorer

I do not know why, probably a refresh of the page but it works now!! Thanks 🙂

0 Karma

to4kawa
Ultra Champion
    <query>| makeresults
| eval Panel="$tokPanel|s$"
    </query>

$tokPanel$ 's token has space on default value.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...