Dashboards & Visualizations

How to edit a text input from a dashboard?

zinaut
Engager

Hello fellow Splunkers! First post here on the forums.

I've been looking around and trying to do this particular task for over a week but I feel I've hit a wall. I want to be able to edit a text input from a dashboard where user will enter a MAC address with colons, but in search use that same MAC address but without colons. Reason being that the user will get the MAC addresses from sourcetype=linux_syslog where the field with the MAC address will have have the value with colons: macAddr="a1:b2:c3:d4:e5:f6"

That MAC address will then be used in sourcetype=radius where the field with the MAC address does NOT have colons: radMacAddr="a1b2c3d4e5f6".

I currently use the token of $mac_address$ for the inputted text and use rex to take out the colons: | eval rex_macaddr="$mac_address$" | rex mode=sed field=rex_macaddr "s/://g". This creates the field rex_macaddr with the inputted MAC address to appear without colons (progress for me!).

This is where I hit a wall. I feel I'm going about this the wrong way entirely. When doing it the way in the paragraph above, there will be 2 fields will with same values in sourcetype=radius.
1. radMacAddr="a1b2c3d4e5f6" - the original field I need to search through.
2. rex_macaddr="a1b2c3d4e5f6" - the newly created field from the user text input.

As you can see, this doesn't really help me unless I can create a new token based on the single result of rex_macaddr. If possible I wouldn't mind trying it out, but I feel I need to reach out and ask more experienced Splunkers on the best way to go about solving my problem.

Thank you all greatly!

0 Karma
1 Solution

maciep
Champion

Probably a ton of different ways to do this. But one option could be to create a new token when the mac address is entered in the text box, and use that token for your radius search. So, something like this inside your textbox input definition.

<change>
    <eval token="t_mac_no_colon">replace($value$,":","")</eval>
</change>

And then use the new $t_mac_no_colon$ token when searching your radius logs. Something like this:

index=your_radius_index sourcetype=your_radius_sourcetype radMacAddr="$t_mac_no_colon$"

View solution in original post

sbbadri
Motivator

test_mac_address

<input type="text" token="field1">
  <label>field1</label>
</input>


<panel>
  <event>
    <search>
      <query>index=* host=* sourcetype="*" mac=$field1$</query>
      <earliest>1498276800</earliest>
      <latest>1498363200</latest>
    </search>
  </event>
</panel>
0 Karma

maciep
Champion

Probably a ton of different ways to do this. But one option could be to create a new token when the mac address is entered in the text box, and use that token for your radius search. So, something like this inside your textbox input definition.

<change>
    <eval token="t_mac_no_colon">replace($value$,":","")</eval>
</change>

And then use the new $t_mac_no_colon$ token when searching your radius logs. Something like this:

index=your_radius_index sourcetype=your_radius_sourcetype radMacAddr="$t_mac_no_colon$"

zinaut
Engager

Thank you very much maciep! It worked out perfectly. I honestly didn't know about <change> in simpleXML. I'll add it to my arsenal of knowledge now. My thanks.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...