Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I drilldown an IP address from a table into a website search field?

AbelCruz
Path Finder
‎02-08-2018 06:16 AM

I am trying to drilldown an IP address value from a table into the IP Lookup box of https://www.iplocation.net to obtain the IP address' details. I can click on the value and open the right website on a new tab but it doesn't carry over the selected IP value from the table. I am using Splunk predefined token but still doesn't wok. Any suggestions on what I am missing? 

  <table>
    <title>IP lookup test</title>
    <search>
      <query>sourcetype="cisco:asa" Cisco_ASA_vendor_action="authentication Rejected"| dedup user | table IP _time user</query>
      <earliest>-7d@h</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown target="https://www.iplocation.net/">
      <link>
        https://www.iplocation.net/?q=$click.value2$
      </link>
    </drilldown>
  </table>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 07:10 AM

I tried to post this as a reply to your comment above, but I forgot I can't include screencaps as attachments in a comment, so I'm making it a new answer.

No need to apologize. 🙂 I'm happy to help. Here's the code for a test dashboard I made to demonstrate our end goal:

<dashboard>
  <label>test_ip</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval IP="8.8.8.8" | append [|makeresults | eval IP="12.12.12.12"]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">https://www.iplocation.net/?query=$click.value$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

This dashboard contains a little dummy query that just makes a small table with two IP addresses in it, but it demonstrates the drilldown functionality.

Here are some screenshots for how I added the functionality to the table using the Splunk Web UI. First, I selected Edit Dashboard > UI (UI is the default option when you edit a dashboard). Then I found the Edit Drilldown menu here:
alt text
Inside that menu, here's what I entered:
alt text

Does that match what you see in your Dashboard editor?

View solution in original post

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 07:10 AM

I tried to post this as a reply to your comment above, but I forgot I can't include screencaps as attachments in a comment, so I'm making it a new answer.

No need to apologize. 🙂 I'm happy to help. Here's the code for a test dashboard I made to demonstrate our end goal:

<dashboard>
  <label>test_ip</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval IP="8.8.8.8" | append [|makeresults | eval IP="12.12.12.12"]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">https://www.iplocation.net/?query=$click.value$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

This dashboard contains a little dummy query that just makes a small table with two IP addresses in it, but it demonstrates the drilldown functionality.

Here are some screenshots for how I added the functionality to the table using the Splunk Web UI. First, I selected Edit Dashboard > UI (UI is the default option when you edit a dashboard). Then I found the Edit Drilldown menu here:
alt text
Inside that menu, here's what I entered:
alt text

Does that match what you see in your Dashboard editor?

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-08-2018 06:32 AM

I just tried visiting https://www.iplocation.net/?q=8.8.8.8 to test the drilldown destination. From what I can tell, you need to be using this: https://www.iplocation.net/?query=[ip address] in order for the page to use the supplied token.

0 Karma
Reply
Solved! Jump to solution

AbelCruz
Path Finder
‎02-08-2018 06:44 AM

Good morning
Thank you for your response

After using your suggestion now I get this on the website. Still does lookup my current IP address though.

Error: Invalid input address: [ip address]/?q=68.189.154.2

      <link>
        https://www.iplocation.net/?query=[ip address]/?q=$click.value$
      </link>
    </drilldown>
  </table>
0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-08-2018 06:47 AM

Sorry, that [input address] was meant as a placeholder. Here's some literal code:

    <drilldown>
       <link>
         https://www.iplocation.net/?query=$click.value$
       </link>
     </drilldown>
0 Karma
Reply
Solved! Jump to solution

AbelCruz
Path Finder
‎02-08-2018 06:56 AM

No worries. This gets me back to just opening the website but it doesn't carry any clicked value from the table.
The table columns' order is: IP, _time, and user.

Am I using the wrong token or do I need to create one?

I do apologize for the questions. I am new to Splunk.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-08-2018 07:11 AM

It gives correct output. have you tried this:

 <table>
     <title>IP lookup test</title>
     <search>
       <query>sourcetype="cisco:asa" Cisco_ASA_vendor_action="authentication Rejected"| dedup user | table IP _time user</query>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </search>
     <option name="wrap">true</option>
     <option name="rowNumbers">true</option>
     <option name="dataOverlayMode">none</option>
     <option name="drilldown">cell</option>
     <option name="count">10</option>
     <drilldown target="https://www.iplocation.net/">
       <link>
         https://www.iplocation.net/?query=$click.value$
       </link>
     </drilldown>
   </table>
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...