Hoping that I may be able to get some assistance with this dashboard. Full disclosure, I am not a Splunk aficionado by any stretch, but I am trying to put together a dashboard that..
1. takes an account as input and queries the ports that it hits the AD domain controller on.
2. drills down with a query for F5 logs using the time frame passed from drill down selection as well as the ADDC IP and ports.
In a nutshell, we want to follow the service account authentication to the loadbalancer and identify the actual client since logs against AD only show the F5 IP.
Have tried a number of different methods for this but can't get the drill down to process as intended with the necessary parameters passing. Also open to rethinking the approach if necessary. Originally tried using a transaction to capture events and associate them but there was a lot of noise to filter out.
XML shown below:
<form theme="dark">
<label>Account Drilldown</label>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="dt" searchWhenChanged="true">
<label>Timeframe</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="directoryValue" searchWhenChanged="true">
<label>Directory</label>
<choice value="index=index host=*ad* "Source_Port" OR "Port" Account_Name="*">Active Directory</choice>
</input>
<input type="text" token="accountSearch" searchWhenChanged="true">
<label>Account Name</label>
<default>Type Account Here</default>
</input>
<input type="multiselect" token="srcport" depends="$dt.earliest$,$dt.latest$" searchWhenChanged="true">
<label>Domain Controller Ports</label>
<choice value="*">All</choice>
<search id="activityList">
<query>$directoryValue$$accountSearch$*" | fields Source_Network_Address, Port, Source_Port | eval srcip = Source_Network_Address, Port = Source_Port, srcport = Port | table _time, srcip, srcport</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>srcport</fieldForLabel>
<fieldForValue>srcport</fieldForValue>
<prefix>(</prefix>
<suffix>)</suffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="activityList">
<![CDATA[index=index host=*ad* "Source_Port" OR "Port" Account_Name="*" | eval _querystring=replace(replace(ltrim(rtrim("$srcport$",")"),"("),"srcport=","form.srcport=")," OR ","&")]]>
</search>
<option name="count">5</option>
<option name="drilldown">row</option>
<option name="refresh.display">preview</option>
<drilldown>
<link>
<![CDATA[/app/team/account_activity_drilldown?form.dt.earliest=$earliest$&form.dt.latest=$latest$&form.srcip=$row.srcip$&form.srcport=$row.srcport$]]>
</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel id="drilldown" depends="$row.srcip$">
<table>
<search>
<query>| search index=index type=traffic dstport=* action=* policyid=* srcip="$srcip$" OR srcport="$srcport$"</query>
<earliest>$dt.earliest$</earliest>
<latest>$dt.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
</form>