Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to generate search from dashboard input wi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to be a very simple requirement, but I'm unable to find a solution: I built a dashboard where the user enters an ip address which will then be used in a search like:
dest=$ip$
Now what I need is a way to search for 1 or more ip addresses. So, if the user enters "10.1.1.1 10.2.2.8 10.3.3.3" then the following search must be generated:
(dest=10.1.1.1 OR dest=10.2.2.8 OR dest=10.3.3.3)
Is there a way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can edit the value of the text field with a subquery.
index=XXX [search noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |table dest]|・・・・
↓Correct.
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・
(It still worked)
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |fields dest] |・・・・
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For an explanation of how HiroshiSatoh's answer works, see the "format" command.
https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can edit the value of the text field with a subquery.
index=XXX [search noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |table dest]|・・・・
↓Correct.
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・
(It still worked)
index=XXX [| noop|stats count | eval dest="$ip$"|eval dest=split(dest," ") |fields dest] |・・・・
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, but now it's getting more complicated. I need to search for the address list in src AND dest fields, so I tried:
[search noop | stats count | eval src="$cidr" | eval src=split(src, " "), dest=split(src, " ") |
table src, dest ]
But it only returns events where src matches. And this:
[search noop | stats count | eval src="$cidr",dest="$cidr"
| eval src=split(src, " "), dest=split(dest, " ")
| table src, dest ]
yields no results at all 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please perform sub search separately.
index=XXX [| noop|stats count | eval src="$cidr$"|eval src=split(src," ") |mvexpand src|fields src] [| noop|stats count | eval dest="$cidr$"|eval dest=split(dest," ") |mvexpand dest|fields dest] |・・・・
↓
( (src=XXX) OR (src=XXX) OR (src=XXX) OR (src=XXX) ) AND ( (dest=XXX) OR (dest=XXX) OR (dest=XXX) OR (dest=XXX) )
※Please be careful because it is AND condition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Holy cow, works like a charm! Thanks a lot, HiroshiSatoh!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need an mvexpand command as well (after split).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also thought so.
But just by splitting it worked fine.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
