Dashboards & Visualizations

How can I build a dashboard that passes a text input and dropdown input for the data type into a search?

ltrand
Contributor

I'm trying to build a dashboard where an analyst can have a single text input and have a dropdown for the data type and pass the combined information to the search. Unfortunately, it's not working.

Token Logic:
User inputs 127.0.0.1 into $token1$. Then selects "IP" label in the dropdown, which contains the logic (src=$token1$ OR dest=$token1$) and is labeled $token2$. Search, for now, is simply index=firewalls $token2$.

Problem Description:
What we expect to land in the panel is "index=firewalls (src=127.0.0.1 OR dest=127.0.0.1). What we are seeing, when "open in search" is utilized, is "index=firewalls (src=$token1$ OR dest=$token1$)".

When we get the logic for the inputs right we plan on converting this to a datamodel search, but for now we just need to figure out how to pass information inputted into one input to another.

Reason why we're building this:
This is a version1 just to get analysts going and be able to modularize a lot of their workflow that is currently a bunch of hand jamming searches every time they want to do something, so we get searches that are just an IP over all time. We're building this into ES to start to move analysts over to that, but this is the short term need, as they view IP lookup as "difficult".

Edit: SimpleXML of dashboard attached

<form>
  <label>Test Searching</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="token1" searchWhenChanged="true">
      <label>IOC for Search</label>
    </input>
    <input type="dropdown" token="token2">
      <label>Field to Search</label>
      <choice value="&quot;$token1$&quot;">IP</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>Search Events</title>
        <search>
          <query>index="firewalls" $token2$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>
0 Karma
1 Solution

ltrand
Contributor

I figured out a solution:

    <input type="dropdown" token="IOC_fields" searchWhenChanged="true">
      <label>Field to Search</label>
      <fieldForLabel>token_type</fieldForLabel>
      <fieldForValue>search_param</fieldForValue>
      <search>
        <query>| makeresults | eval token="$IOC$" | eval token_type=if(match(token, "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"), "IP", "URL") | eval search_param=if(match(token, "IP"), "src=".token, "url=".token) | table token, token_type, search_param</query>
      </search>
    </input>

It will take the token IOC, qualify it as an IP, or URL, and then will use concatenate to form correct search language with the token.

View solution in original post

ltrand
Contributor

I figured out a solution:

    <input type="dropdown" token="IOC_fields" searchWhenChanged="true">
      <label>Field to Search</label>
      <fieldForLabel>token_type</fieldForLabel>
      <fieldForValue>search_param</fieldForValue>
      <search>
        <query>| makeresults | eval token="$IOC$" | eval token_type=if(match(token, "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"), "IP", "URL") | eval search_param=if(match(token, "IP"), "src=".token, "url=".token) | table token, token_type, search_param</query>
      </search>
    </input>

It will take the token IOC, qualify it as an IP, or URL, and then will use concatenate to form correct search language with the token.

sbbadri
Motivator

try this,

<form>
<label>ddDashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="token1" searchWhenChanged="true">
<label>Input IP</label>
</input>
<input type="dropdown" token="token2" searchWhenChanged="true">
<label>Select IP</label>
<search>
<query>index=_internal (src="$token1$" OR dest="$token1$") | fields dest | table dest src</query>
</search>
<fieldForLabel>src_dest</fieldForLabel>
<fieldForValue>src_dest</fieldForValue>
<prefix>(</prefix>
<valuePrefix>src="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<suffix> OR dest=$token1$) </suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal $token2$</query>
<earliest>0</earliest>
<latest></latest>
</search>
</table>
</panel>
</row>
</form>

0 Karma

rjthibod
Champion

I think I know the issue, but you probably need to share your SimpleXML so that we can see all that you need to do.

It sounds like the issue is you are including the token $token1$ directly in the choice or option string of the dropdown (token $token2). This is a no-no. It will never work the way you want. You will likely have to write some <condition> elements or more complex search patterns, but the solution depends on what else you are trying to do. So, please share more of your SimpleXML.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...