Dashboards & Visualizations

Help with depends- How to only include dest_ip  in my search if action is not "blocked"?

ilhwan
Path Finder

I am trying to only include dest_ip  in my search if action is not "blocked.  These are the input panels:

 

 

<input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>
 <input type="text" token="my_dest_ip" searchWhenChanged="true" depends="$is_not_blocked$">
      <label>Destination IP address (CIDR okay)</label>
      <default>*</default>
      <prefix>dest_ip=</prefix>
      <initialValue>*</initialValue>
    </input>

 

 

This is the search:

 

 

    <panel>
      <title>Network Connections by Source</title>
      <table>
        <title>Count of network connections by source - click on a line for list of sessions from that source</title>
        <search>
          <query>index=proxy $my_host$ $my_src_ip$ $my_dest_ip$ $my_url$ $my_action$
| lookup dnslookup clientip as src_ip OUTPUT clienthost as Host
| stats count by src_ip Host action
| table src_ip, Host action count
| sort -count
| rename src_ip as "Source_IP" action as Action count as "Count"</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="drill_client_ip">$row.Source_IP$</set>
          <set token="drill_url">*</set>
          <set token="drill_dest_ip">*</set>
          <set token="drill_action">$row.Action$</set>
        </drilldown>
      </table>
    </panel>

 

 

The input panel for my_dest_ip disappears when I select "blocked" in the action panel, but the search still includes dest_ip=*.  What am I not understanding?

Labels (3)
0 Karma
1 Solution

ilhwan
Path Finder

I just figured it out.  I had to set the token to a blank string since I use it in the search later.

 <input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <set token="my_dest_ip">""</set>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Even though the input panel is not shown, the the token still is set to its initial value.

To work around that, unset $my_dest_ip$ whenever $my_action$ is "blocked".

---
If this reply helps you, Karma would be appreciated.
0 Karma

ilhwan
Path Finder

I tried that without success.  This is what the input panel looks like:

<input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <unset token="my_dest_ip"></unset>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>
0 Karma

ilhwan
Path Finder

I just figured it out.  I had to set the token to a blank string since I use it in the search later.

 <input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <set token="my_dest_ip">""</set>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>

 

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...