Solved: Help with depends- How to only include dest_ip in...

ilhwan · ‎11-07-2022

I am trying to only include dest_ip in my search if action is not "blocked. These are the input panels:

<input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>
 <input type="text" token="my_dest_ip" searchWhenChanged="true" depends="$is_not_blocked$">
      <label>Destination IP address (CIDR okay)</label>
      <default>*</default>
      <prefix>dest_ip=</prefix>
      <initialValue>*</initialValue>
    </input>

This is the search:

    <panel>
      <title>Network Connections by Source</title>
      <table>
        <title>Count of network connections by source - click on a line for list of sessions from that source</title>
        <search>
          <query>index=proxy $my_host$ $my_src_ip$ $my_dest_ip$ $my_url$ $my_action$
| lookup dnslookup clientip as src_ip OUTPUT clienthost as Host
| stats count by src_ip Host action
| table src_ip, Host action count
| sort -count
| rename src_ip as "Source_IP" action as Action count as "Count"</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="drill_client_ip">$row.Source_IP$</set>
          <set token="drill_url">*</set>
          <set token="drill_dest_ip">*</set>
          <set token="drill_action">$row.Action$</set>
        </drilldown>
      </table>
    </panel>

The input panel for my_dest_ip disappears when I select "blocked" in the action panel, but the search still includes dest_ip=*. What am I not understanding?

ilhwan · ‎11-07-2022

I just figured it out. I had to set the token to a blank string since I use it in the search later.

 <input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <set token="my_dest_ip">""</set>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>

View solution in original post

richgalloway · ‎11-07-2022

Even though the input panel is not shown, the the token still is set to its initial value.

To work around that, unset $my_dest_ip$ whenever $my_action$ is "blocked".

---
If this reply helps you, Karma would be appreciated.

ilhwan · ‎11-07-2022

I tried that without success. This is what the input panel looks like:

<input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <unset token="my_dest_ip"></unset>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>

ilhwan · ‎11-07-2022

I just figured it out. I had to set the token to a blank string since I use it in the search later.

 <input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <set token="my_dest_ip">""</set>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>

Help with depends- How to only include dest_ip in my search if action is not "blocked"?

dashboard

panel

token

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)