Dashboards & Visualizations

How to get the drill down to process as intended in the search?

duwill
New Member

Hoping that I may be able to get some assistance with this dashboard. Full disclosure, I am not a Splunk aficionado by any stretch, but I am trying to put together a dashboard that..

1. takes an account as input and queries the ports that it hits the AD domain controller on.

2. drills down with a query for F5 logs using the time frame passed from drill down selection as well as the ADDC IP and ports.

In a nutshell, we want to follow the service account authentication to the loadbalancer and identify the actual client since logs against AD only show the F5 IP.

Have tried a number of different methods for this but can't get the drill down to process as intended with the necessary parameters passing. Also open to rethinking the approach if necessary. Originally tried using a transaction to capture events and associate them but there was a lot of noise to filter out.

XML shown below:

 

<form theme="dark">
<label>Account Drilldown</label>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="dt" searchWhenChanged="true">
<label>Timeframe</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="directoryValue" searchWhenChanged="true">
<label>Directory</label>
<choice value="index=index host=*ad* &quot;Source_Port&quot; OR &quot;Port&quot; Account_Name=&quot;*">Active Directory</choice>
</input>
<input type="text" token="accountSearch" searchWhenChanged="true">
<label>Account Name</label>
<default>Type Account Here</default>
</input>
<input type="multiselect" token="srcport" depends="$dt.earliest$,$dt.latest$" searchWhenChanged="true">
<label>Domain Controller Ports</label>
<choice value="*">All</choice>
<search id="activityList">
<query>$directoryValue$$accountSearch$*" | fields Source_Network_Address, Port, Source_Port | eval srcip = Source_Network_Address, Port = Source_Port, srcport = Port | table _time, srcip, srcport</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>srcport</fieldForLabel>
<fieldForValue>srcport</fieldForValue>
<prefix>(</prefix>
<suffix>)</suffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="activityList">
<![CDATA[index=index host=*ad* &quot;Source_Port&quot; OR &quot;Port&quot; Account_Name=&quot;*" | eval _querystring=replace(replace(ltrim(rtrim("$srcport$",")"),"("),"srcport=","form.srcport=")," OR ","&")]]>
</search>
<option name="count">5</option>
<option name="drilldown">row</option>
<option name="refresh.display">preview</option>
<drilldown>
<link>
<![CDATA[/app/team/account_activity_drilldown?form.dt.earliest=$earliest$&form.dt.latest=$latest$&form.srcip=$row.srcip$&form.srcport=$row.srcport$]]>
</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel id="drilldown" depends="$row.srcip$">
<table>
<search>
<query>| search index=index type=traffic dstport=* action=* policyid=* srcip="$srcip$" OR srcport="$srcport$"</query>
<earliest>$dt.earliest$</earliest>
<latest>$dt.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
</form>

 

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...