Dashboards & Visualizations

How can I drilldown an IP address from a table into a website search field?

AbelCruz
Path Finder

I am trying to drilldown an IP address value from a table into the IP Lookup box of https://www.iplocation.net to obtain the IP address' details. I can click on the value and open the right website on a new tab but it doesn't carry over the selected IP value from the table. I am using Splunk predefined token but still doesn't wok. Any suggestions on what I am missing?

  <table>
    <title>IP lookup test</title>
    <search>
      <query>sourcetype="cisco:asa" Cisco_ASA_vendor_action="authentication Rejected"| dedup user | table IP _time user</query>
      <earliest>-7d@h</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown target="https://www.iplocation.net/">
      <link>
        https://www.iplocation.net/?q=$click.value2$
      </link>
    </drilldown>
  </table>
0 Karma
1 Solution

elliotproebstel
Champion

I tried to post this as a reply to your comment above, but I forgot I can't include screencaps as attachments in a comment, so I'm making it a new answer.

No need to apologize. 🙂 I'm happy to help. Here's the code for a test dashboard I made to demonstrate our end goal:

<dashboard>
  <label>test_ip</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval IP="8.8.8.8" | append [|makeresults | eval IP="12.12.12.12"]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">https://www.iplocation.net/?query=$click.value$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

This dashboard contains a little dummy query that just makes a small table with two IP addresses in it, but it demonstrates the drilldown functionality.

Here are some screenshots for how I added the functionality to the table using the Splunk Web UI. First, I selected Edit Dashboard > UI (UI is the default option when you edit a dashboard). Then I found the Edit Drilldown menu here:
alt text
Inside that menu, here's what I entered:
alt text

Does that match what you see in your Dashboard editor?

View solution in original post

0 Karma

elliotproebstel
Champion

I tried to post this as a reply to your comment above, but I forgot I can't include screencaps as attachments in a comment, so I'm making it a new answer.

No need to apologize. 🙂 I'm happy to help. Here's the code for a test dashboard I made to demonstrate our end goal:

<dashboard>
  <label>test_ip</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval IP="8.8.8.8" | append [|makeresults | eval IP="12.12.12.12"]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">https://www.iplocation.net/?query=$click.value$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

This dashboard contains a little dummy query that just makes a small table with two IP addresses in it, but it demonstrates the drilldown functionality.

Here are some screenshots for how I added the functionality to the table using the Splunk Web UI. First, I selected Edit Dashboard > UI (UI is the default option when you edit a dashboard). Then I found the Edit Drilldown menu here:
alt text
Inside that menu, here's what I entered:
alt text

Does that match what you see in your Dashboard editor?

0 Karma

elliotproebstel
Champion

I just tried visiting https://www.iplocation.net/?q=8.8.8.8 to test the drilldown destination. From what I can tell, you need to be using this: https://www.iplocation.net/?query=[ip address] in order for the page to use the supplied token.

0 Karma

AbelCruz
Path Finder

Good morning
Thank you for your response

After using your suggestion now I get this on the website. Still does lookup my current IP address though.

Error: Invalid input address: [ip address]/?q=68.189.154.2

      <link>
        https://www.iplocation.net/?query=[ip address]/?q=$click.value$
      </link>
    </drilldown>
  </table>
0 Karma

elliotproebstel
Champion

Sorry, that [input address] was meant as a placeholder. Here's some literal code:

    <drilldown>
       <link>
         https://www.iplocation.net/?query=$click.value$
       </link>
     </drilldown>
0 Karma

AbelCruz
Path Finder

No worries. This gets me back to just opening the website but it doesn't carry any clicked value from the table.
The table columns' order is: IP, _time, and user.

Am I using the wrong token or do I need to create one?

I do apologize for the questions. I am new to Splunk.

0 Karma

493669
Super Champion

It gives correct output. have you tried this:

 <table>
     <title>IP lookup test</title>
     <search>
       <query>sourcetype="cisco:asa" Cisco_ASA_vendor_action="authentication Rejected"| dedup user | table IP _time user</query>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </search>
     <option name="wrap">true</option>
     <option name="rowNumbers">true</option>
     <option name="dataOverlayMode">none</option>
     <option name="drilldown">cell</option>
     <option name="count">10</option>
     <drilldown target="https://www.iplocation.net/">
       <link>
         https://www.iplocation.net/?query=$click.value$
       </link>
     </drilldown>
   </table>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...