- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to generate search from dashboard input with v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to be a very simple requirement, but I'm unable to find a solution: I built a dashboard where the user enters an ip address which will then be used in a search like:
dest=$ip$
Now what I need is a way to search for 1 or more ip addresses. So, if the user enters "10.1.1.1 10.2.2.8 10.3.3.3" then the following search must be generated:
(dest=10.1.1.1 OR dest=10.2.2.8 OR dest=10.3.3.3)
Is there a way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can edit the value of the text field with a subquery.
index=XXX [search noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |table dest]|・・・・
↓Correct.
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・
(It still worked)
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |fields dest] |・・・・
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For an explanation of how HiroshiSatoh's answer works, see the "format" command.
https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can edit the value of the text field with a subquery.
index=XXX [search noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |table dest]|・・・・
↓Correct.
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・
(It still worked)
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |fields dest] |・・・・
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, but now it's getting more complicated. I need to search for the address list in src AND dest fields, so I tried:
[search noop | stats count | eval src="$cidr" | eval src=split(src, " "), dest=split(src, " ") |
table src, dest ]
But it only returns events where src matches. And this:
[search noop | stats count | eval src="$cidr",dest="$cidr"
| eval src=split(src, " "), dest=split(dest, " ")
| table src, dest ]
yields no results at all 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please perform sub search separately.
index=XXX [| noop|stats count | eval src="$cidr$"|eval src=split(src," ") |mvexpand src|fields src] [| noop|stats count | eval dest="$cidr$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・
↓
( (src=XXX) OR (src=XXX) OR (src=XXX) OR (src=XXX) ) AND ( (dest=XXX) OR (dest=XXX) OR (dest=XXX) OR (dest=XXX) )
※Please be careful because it is AND condition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Holy cow, works like a charm! Thanks a lot, HiroshiSatoh!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need an mvexpand command as well (after split).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also thought so.
But just by splitting it worked fine.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
