Solved: How to edit a text input from a dashboard?

zinaut · ‎07-05-2017

Hello fellow Splunkers! First post here on the forums.

I've been looking around and trying to do this particular task for over a week but I feel I've hit a wall. I want to be able to edit a text input from a dashboard where user will enter a MAC address with colons, but in search use that same MAC address but without colons. Reason being that the user will get the MAC addresses from sourcetype=linux_syslog where the field with the MAC address will have have the value with colons: macAddr="a1:b2:c3:d4:e5:f6"

That MAC address will then be used in sourcetype=radius where the field with the MAC address does NOT have colons: radMacAddr="a1b2c3d4e5f6".

I currently use the token of $mac_address$ for the inputted text and use rex to take out the colons: | eval rex_macaddr="$mac_address$" | rex mode=sed field=rex_macaddr "s/://g". This creates the field rex_macaddr with the inputted MAC address to appear without colons (progress for me!).

This is where I hit a wall. I feel I'm going about this the wrong way entirely. When doing it the way in the paragraph above, there will be 2 fields will with same values in sourcetype=radius.
1. radMacAddr="a1b2c3d4e5f6" - the original field I need to search through.
2. rex_macaddr="a1b2c3d4e5f6" - the newly created field from the user text input.

As you can see, this doesn't really help me unless I can create a new token based on the single result of rex_macaddr. If possible I wouldn't mind trying it out, but I feel I need to reach out and ask more experienced Splunkers on the best way to go about solving my problem.

Thank you all greatly!

maciep · ‎07-05-2017

Probably a ton of different ways to do this. But one option could be to create a new token when the mac address is entered in the text box, and use that token for your radius search. So, something like this inside your textbox input definition.

<change>
    <eval token="t_mac_no_colon">replace($value$,":","")</eval>
</change>

And then use the new $t_mac_no_colon$ token when searching your radius logs. Something like this:

index=your_radius_index sourcetype=your_radius_sourcetype radMacAddr="$t_mac_no_colon$"

View solution in original post

sbbadri · ‎07-05-2017

test_mac_address

<input type="text" token="field1">
  <label>field1</label>
</input>


<panel>
  <event>
    <search>
      <query>index=* host=* sourcetype="*" mac=$field1$</query>
      <earliest>1498276800</earliest>
      <latest>1498363200</latest>
    </search>
  </event>
</panel>

maciep · ‎07-05-2017

Probably a ton of different ways to do this. But one option could be to create a new token when the mac address is entered in the text box, and use that token for your radius search. So, something like this inside your textbox input definition.

<change>
    <eval token="t_mac_no_colon">replace($value$,":","")</eval>
</change>

And then use the new $t_mac_no_colon$ token when searching your radius logs. Something like this:

index=your_radius_index sourcetype=your_radius_sourcetype radMacAddr="$t_mac_no_colon$"

zinaut · ‎07-06-2017

Thank you very much maciep! It worked out perfectly. I honestly didn't know about <change> in simpleXML. I'll add it to my arsenal of knowledge now. My thanks.

How to edit a text input from a dashboard?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to edit a text input from a dashboard?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem