Dashboards & Visualizations

How to generate search from dashboard input with variable number of values?

sptz16
New Member

This seems to be a very simple requirement, but I'm unable to find a solution: I built a dashboard where the user enters an ip address which will then be used in a search like:

dest=$ip$

Now what I need is a way to search for 1 or more ip addresses. So, if the user enters "10.1.1.1 10.2.2.8 10.3.3.3" then the following search must be generated:

(dest=10.1.1.1 OR dest=10.2.2.8  OR dest=10.3.3.3)

Is there a way to do this?

Tags (1)
0 Karma
1 Solution

HiroshiSatoh
Champion

You can edit the value of the text field with a subquery.

index=XXX [search noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |table dest]|・・・・
↓Correct.
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・
(It still worked)
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |fields dest] |・・・・

View solution in original post

0 Karma

DalJeanis
Legend

For an explanation of how HiroshiSatoh's answer works, see the "format" command.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults

0 Karma

HiroshiSatoh
Champion

You can edit the value of the text field with a subquery.

index=XXX [search noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |table dest]|・・・・
↓Correct.
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・
(It still worked)
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |fields dest] |・・・・

0 Karma

sptz16
New Member

Ah, but now it's getting more complicated. I need to search for the address list in src AND dest fields, so I tried:

[search noop | stats count | eval src="$cidr" | eval src=split(src, " "), dest=split(src, " ") |
 table src, dest ]

But it only returns events where src matches. And this:

[search noop | stats count | eval src="$cidr",dest="$cidr"
 | eval src=split(src, " "), dest=split(dest, " ")
 | table src, dest ]

yields no results at all 😞

0 Karma

HiroshiSatoh
Champion

Please perform sub search separately.

index=XXX [| noop|stats count | eval src="$cidr$"|eval src=split(src," ") |mvexpand src|fields src] [| noop|stats count | eval dest="$cidr$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・

( (src=XXX) OR (src=XXX) OR (src=XXX) OR (src=XXX) ) AND ( (dest=XXX) OR (dest=XXX) OR (dest=XXX) OR (dest=XXX) )
※Please be careful because it is AND condition.

0 Karma

sptz16
New Member

Holy cow, works like a charm! Thanks a lot, HiroshiSatoh!

0 Karma

somesoni2
Revered Legend

I think you need an mvexpand command as well (after split).

0 Karma

HiroshiSatoh
Champion

I also thought so.
But just by splitting it worked fine.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...