Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Drill down to a link with regex generated field

armanih
Explorer
‎09-09-2020 05:31 AM

Hi All, 
I have made a dashboard which accept input(url).
I have applied regex to the url to extract only http/https
Then i need to visit various sites to view the domain authenticity. I am not abe to use the generated token as a token.

So the query i have is

| table url
| rex field=url "^(?<new_url>http.*$)"
| eval virustotal="https://www.virustotal.com/gui/search/$new_url$"
| table virustotal

But it is not working. Can someone please help me to understand, how to get the generated 'new_url" as a string to eval command

 

Labels (2)
Labels
0 Karma
Reply

armanih
Explorer
‎09-09-2020 06:01 AM

Thanks @richgalloway and @thambisetty .

The solution works when I use the query with index, source type and match with live events.  
But when i take the input as a token , table is empty in the dashboard panel.

Not sure if i am something wrong. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2020 06:22 AM
Please share the relevant dashboard code.
---
If this reply helps you, Karma would be appreciated.
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-09-2020 06:10 AM

you need to enclose input field name in $$.

for example, to use input url you should specify $url$.

example search 

<search>
index=_internal source=*splunkd.log | stats count by $field_tok$
</search>
————————————
If this helps, give a like below.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2020 05:43 AM

Extracted fields are not tokens.  Use concatenation to add a field to a string.

| fields url
| rex field=url "^(?<new_url>http.*$)"
| eval virustotal="https://www.virustotal.com/gui/search/" . new_url
| table virustotal
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-09-2020 05:41 AM 
| table url
| rex field=url "^(?<new_url>http.*$)"
| eval virustotal="https://www.virustotal.com/gui/search/"+new_url
| table virustotal
————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...