Dashboards & Visualizations

How to pass token to input?

DaveBunn
Path Finder

I need the output token of a text box to be the true option of a radio button.

I have two text inputs Username going to $upn$ and Asset going to $asset$ (Both are * as default)

The base search is index=azuread devicename=$asset$ userPincipalName=$upn$

So this work perfectly allowing filter to user and/or asset 

But I want to pull in our VPN logs (with an append so that both show in the same table in time order).

The trouble is that our VPN logs only record by asset and are very noisy. so need to be filtered by asset before the append.  But when asset is "*" then everything is displayed, obscuring the azure login detail.

I've tried adding a radio button (with the token being $vpn_asset$).  I've set the False option as default returning "This_is_not_a_valid_asset_name" which will not match anything in the VPN logs.

I want to set the true option to be $asset$ so that it uses the token from the ASSET text box,

When selecting false - the search "index=VPN deviceName=$vpn$" substitutes $vpn$ with "This_is_not_a_valid_asset_name" which is correct, but when selecting true, the token $vpn$ simply gets substituted for $asset$, whereas I would expect it to be substituted with either the contents to the ASSET Text input.

Any ideas?

The code is something like this (poetic licence is used for simplicity)

 

 

input Title="Insert User Principal Name" type=text token=upn default=*
input Title="Insert Asset Name" type=text token=asset default=*
input Title="Include VPN Logs" type=radio token=vpn false="not_an_asset" true="$asset$" default=false

index=azure userPrincipalName="$upn$" userDeviceName="$asset$"
|append [search index=VPN deviceName="$vpn$"]

 

 

Whilst "Include VPN Logs" is set to false, the deviceName="not_an_asset" will result in zero VPN logs returned. I need this to pass through the asset detail in the asset input box when set to true, therefore the azure logon details will be interspersed with the VPN logs making assessment easier.

Labels (2)
0 Karma
1 Solution

DaveBunn
Path Finder

So I seem to of solved my problem, using the following subquery within the radio button, but this seems clunky, is there another way?

<input type="radio" token="vpn" searchWhenChanged="true">
      <label>Include VPN Logs</label>
      <choice value="kwisatz_haderach">Exclude</choice>
      <default>kwisatz_haderach</default>
      <initialValue>kwisatz_haderach</initialValue>
      <fieldForLabel>ASSET</fieldForLabel>
      <fieldForValue>ASSET</fieldForValue>
      <search>
        <query>| makeresults 
        | eval ASSET="$asset$" 
        | table ASSET</query>
      </search>
    </input>

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use the change handler for the radio button to set a token using the $asset$ token as appropriate.

0 Karma

DaveBunn
Path Finder

So I seem to of solved my problem, using the following subquery within the radio button, but this seems clunky, is there another way?

<input type="radio" token="vpn" searchWhenChanged="true">
      <label>Include VPN Logs</label>
      <choice value="kwisatz_haderach">Exclude</choice>
      <default>kwisatz_haderach</default>
      <initialValue>kwisatz_haderach</initialValue>
      <fieldForLabel>ASSET</fieldForLabel>
      <fieldForValue>ASSET</fieldForValue>
      <search>
        <query>| makeresults 
        | eval ASSET="$asset$" 
        | table ASSET</query>
      </search>
    </input>
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could try something like this

<input type="radio" token="vpn" searchWhenChanged="true">
      <label>Include VPN Logs</label>
      <choice value="kwisatz_haderach">Exclude</choice>
      <choice value="ASSET">ASSET</choice>
      <default>kwisatz_haderach</default>
      <initialValue>kwisatz_haderach</initialValue>
      <change>
            <condition value="ASSET">
                    <set token="vpntoken">$asset$</set>
            </condition>
            <condition value="kwisatz_haderach">
                    <set token="vpntoken">*</set>
            </condition>
      </change>
    </input>
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...