Hi,
I have created a dashboard where I can save queries by entering it in the input field. It works fine when I enter a simple query:
sourcetype = WinEventLog EventCode = 4624 | stats count (EventCode) by host
When I run the following query I get the error below:
sourcetype="pan:traffic" user!="xxxx" earliest=-14d
| bucket _time span=5m
| stats sum(bytes_out) by user, _time
| anomalydetection "sum(bytes_out)" "user" action=annotate
| eval isOutlier = if(probable_cause != "", "1", "0")
| where isOutlier=1
| table "sum(bytes_out)" "user", "_time", probable_cause, isOutlier
| stats count by user
| sort -count
| head 20
How can I escape the query in way that I can save it in the lookup file. Or are there better ways to save a query in a dashboard?
dashboard:
<form> <label>Threat Hunting Query</label> <search> <query>| makeresults | eval Panel=$tokPanel|s$ </query> <done> <condition match="$result.Panel$=="1""> <set token="tokPanelSelected">1</set> <set token="pan1"></set> <unset token="pan2"></unset> </condition> <condition match="$result.Panel$=="2""> <set token="pan2"></set> <unset token="pan1"></unset> <set token="tokPanelSelected">2</set> </condition> <condition> <unset token="tokPanelSelected"></unset> </condition> </done> </search> <fieldset submitButton="true"> <input type="text" searchWhenChanged="false" token="discription_query"> <label>Omschrijving query:</label> <default></default> </input> <input type="text" token="query"> <label>Query:</label> <default></default> </input> <input type="text" token="user"> <label>Naam:</label> <default></default> </input> <input type="dropdown" token="tokPanel" searchWhenChanged="false"> <label></label> <choice value="1">Toevoegen</choice> <choice value="2">Verwijderen</choice> <default>Kies toevoegen of verwijderen</default> </input> </fieldset> <row> <panel depends="$pan1$"> <title>Query is toegevoegd/add query</title> <table> <search> <query> <![CDATA[ | inputlookup threat_hunting.csv | append [ | stats count | eval query_discription="$discription_query$" | eval query_q="$query$" | lookup dnslookup clientip As src OUTPUT clienthost AS src_host | lookup dnslookup clientip As dest OUTPUT clienthost AS dest_host | stats count(src) by src src_host | eval tnow=strftime(now(), "%a %m/%d/%Y %H:%M") | eval user="$user$" | eval id=100 ] | stats count by query_discription query_q id tnow user| fields query_discription query_q id tnow user | outputlookup threat_hunting.csv ]]> </query> </search> </table> </panel> <panel depends="$pan2$"> <title>Query is verwijderd/delete query</title> <table> <search> <query> | inputlookup threat_hunting.csv | stats count by query_discription query_q id tnow user | fields - count | where query_discription !="$discription_query$" | outputlookup threat_hunting.csv </query> </search> </table> </panel> </row> </form>
I do not know why, probably a refresh of the page but it works now!! Thanks 🙂
I tried that and I still get the same error. I have also tried the other way (see https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters) but no luck there either.
Have you tried
eval query_q="$query|s$"
to escape the quotes in the token?
I have also tried the other way (see https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters) but no luck there either.
What does your xml look like now?
What does the CDATA do for you?
I do not know why, probably a refresh of the page but it works now!! Thanks 🙂
<query>| makeresults
| eval Panel="$tokPanel|s$"
</query>
$tokPanel$ 's token has space on default value.