Solved: Re: How to edit my XML for drop-down inputs to pro...

fmpa_isaac · ‎06-30-2016

I have an issue with my drop-down inputs in my dashboard. If I select a dest port 80 from my list, I expect to only see dest port 80 in my results. However, it's also filtering on the source port 80. How can I stop this behavior, because it's occurring in other dashboards that I have?

 </input>
    <input type="multiselect" token="Dest_Port" searchWhenChanged="true">
      <label>Select a Dest Port:</label>
      <search>
        <query>sourcetype="udp:514" host="172.20.1.62" | stats values(Dest_Port) as Dest_Port | mvexpand Dest_Port | sort Dest_Port</query>
      </search>
      <fieldForLabel>Dest_Port</fieldForLabel>
      <fieldForValue>Dest_Port</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="URL" searchWhenChanged="true">
      <label>Select URL</label>
      <search>
        <query>sourcetype="udp:514" host="172.20.1.62" | stats values(URL) as URL | mvexpand URL | sort URL</query>
      </search>
      <fieldForLabel>URL</fieldForLabel>
      <fieldForValue>URL</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>sourcetype="udp:514" host="172.20.1.62" $User$ $Action$ $Src_IP$ $Dest_IP$ $Dest_Port$ $URL$ | table _time, User, Src_IP, Src_Port, Dest_IP, Dest_Port, Rule_Action, URL</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">100</option>
      </table>
    </panel>
  </row>
</form>

gcusello · ‎06-30-2016

in your search I don't see anything before $Dest_Port$ and In your dropdown input there isn't the prefix; in this way you don't use the field and the search is limited to the string from the dropdown.
You should use a prefix in the dropdown input as the following

<prefix>Dest_Port="</prefix>
<suffix>"</suffix>

or in the search you shoud insert:
Dest_Port="$Dest_Port$" instead of $Dest_Port$.

Bye.
Giuseppe

View solution in original post

sundareshr · ‎06-30-2016

Try adding fieldnames to each. Like this (adjust for correct field names)

sourcetype="udp:514" host="172.20.1.62" User="$User$" Action="$Action$" Src_IP="$Src_IP$" Dest_IP="$Dest_IP$"  Dest_Post="$Dest_Port$" URL=" $URL$" | table _time, User, Src_IP, Src_Port, Dest_IP, Dest_Port, Rule_Action, URL

fmpa_isaac · ‎06-30-2016

Thank you!

gcusello · ‎06-30-2016

in your search I don't see anything before $Dest_Port$ and In your dropdown input there isn't the prefix; in this way you don't use the field and the search is limited to the string from the dropdown.
You should use a prefix in the dropdown input as the following

<prefix>Dest_Port="</prefix>
<suffix>"</suffix>

or in the search you shoud insert:
Dest_Port="$Dest_Port$" instead of $Dest_Port$.

Bye.
Giuseppe

fmpa_isaac · ‎06-30-2016

Thank you!

fmpa_isaac · ‎06-30-2016

Also, what I am seeing is that it looks for the value of what I am searching for all throughout the raw data.

How to edit my XML for drop-down inputs to properly filter on expected field values?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...