Solved: Help with depends- How to only include dest_ip in...

ilhwan · ‎11-07-2022

I am trying to only include dest_ip in my search if action is not "blocked. These are the input panels:

<input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>
 <input type="text" token="my_dest_ip" searchWhenChanged="true" depends="$is_not_blocked$">
      <label>Destination IP address (CIDR okay)</label>
      <default>*</default>
      <prefix>dest_ip=</prefix>
      <initialValue>*</initialValue>
    </input>

This is the search:

    <panel>
      <title>Network Connections by Source</title>
      <table>
        <title>Count of network connections by source - click on a line for list of sessions from that source</title>
        <search>
          <query>index=proxy $my_host$ $my_src_ip$ $my_dest_ip$ $my_url$ $my_action$
| lookup dnslookup clientip as src_ip OUTPUT clienthost as Host
| stats count by src_ip Host action
| table src_ip, Host action count
| sort -count
| rename src_ip as "Source_IP" action as Action count as "Count"</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="drill_client_ip">$row.Source_IP$</set>
          <set token="drill_url">*</set>
          <set token="drill_dest_ip">*</set>
          <set token="drill_action">$row.Action$</set>
        </drilldown>
      </table>
    </panel>

The input panel for my_dest_ip disappears when I select "blocked" in the action panel, but the search still includes dest_ip=*. What am I not understanding?

ilhwan · ‎11-07-2022

I just figured it out. I had to set the token to a blank string since I use it in the search later.

 <input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <set token="my_dest_ip">""</set>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>

View solution in original post

richgalloway · ‎11-07-2022

Even though the input panel is not shown, the the token still is set to its initial value.

To work around that, unset $my_dest_ip$ whenever $my_action$ is "blocked".

---
If this reply helps you, Karma would be appreciated.

ilhwan · ‎11-07-2022

I tried that without success. This is what the input panel looks like:

<input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <unset token="my_dest_ip"></unset>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>

ilhwan · ‎11-07-2022

I just figured it out. I had to set the token to a blank string since I use it in the search later.

 <input type="dropdown" token="my_action" searchWhenChanged="true">
      <label>Action</label>
      <choice value="*">any</choice>
      <choice value="allowed">allowed</choice>
      <choice value="blocked">blocked</choice>
      <prefix>action=</prefix>
      <change>
        <condition label="blocked">
          <unset token="is_not_blocked"></unset>
          <set token="my_dest_ip">""</set>
        </condition>
        <condition label="allowed">
          <set token="is_not_blocked">true</set>
        </condition>
        <condition label="*">
          <set token="is_not_blocked">true</set>
        </condition>
      </change>
      <default>*</default>
    </input>

Help with depends- How to only include dest_ip in my search if action is not "blocked"?

dashboard

panel

token

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?