Dashboards & Visualizations

How to pass token to input?

DaveBunn
Path Finder

I need the output token of a text box to be the true option of a radio button.

I have two text inputs Username going to $upn$ and Asset going to $asset$ (Both are * as default)

The base search is index=azuread devicename=$asset$ userPincipalName=$upn$

So this work perfectly allowing filter to user and/or asset 

But I want to pull in our VPN logs (with an append so that both show in the same table in time order).

The trouble is that our VPN logs only record by asset and are very noisy. so need to be filtered by asset before the append.  But when asset is "*" then everything is displayed, obscuring the azure login detail.

I've tried adding a radio button (with the token being $vpn_asset$).  I've set the False option as default returning "This_is_not_a_valid_asset_name" which will not match anything in the VPN logs.

I want to set the true option to be $asset$ so that it uses the token from the ASSET text box,

When selecting false - the search "index=VPN deviceName=$vpn$" substitutes $vpn$ with "This_is_not_a_valid_asset_name" which is correct, but when selecting true, the token $vpn$ simply gets substituted for $asset$, whereas I would expect it to be substituted with either the contents to the ASSET Text input.

Any ideas?

The code is something like this (poetic licence is used for simplicity)

 

 

input Title="Insert User Principal Name" type=text token=upn default=*
input Title="Insert Asset Name" type=text token=asset default=*
input Title="Include VPN Logs" type=radio token=vpn false="not_an_asset" true="$asset$" default=false

index=azure userPrincipalName="$upn$" userDeviceName="$asset$"
|append [search index=VPN deviceName="$vpn$"]

 

 

Whilst "Include VPN Logs" is set to false, the deviceName="not_an_asset" will result in zero VPN logs returned. I need this to pass through the asset detail in the asset input box when set to true, therefore the azure logon details will be interspersed with the VPN logs making assessment easier.

Labels (2)
0 Karma
1 Solution

DaveBunn
Path Finder

So I seem to of solved my problem, using the following subquery within the radio button, but this seems clunky, is there another way?

<input type="radio" token="vpn" searchWhenChanged="true">
      <label>Include VPN Logs</label>
      <choice value="kwisatz_haderach">Exclude</choice>
      <default>kwisatz_haderach</default>
      <initialValue>kwisatz_haderach</initialValue>
      <fieldForLabel>ASSET</fieldForLabel>
      <fieldForValue>ASSET</fieldForValue>
      <search>
        <query>| makeresults 
        | eval ASSET="$asset$" 
        | table ASSET</query>
      </search>
    </input>

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use the change handler for the radio button to set a token using the $asset$ token as appropriate.

0 Karma

DaveBunn
Path Finder

So I seem to of solved my problem, using the following subquery within the radio button, but this seems clunky, is there another way?

<input type="radio" token="vpn" searchWhenChanged="true">
      <label>Include VPN Logs</label>
      <choice value="kwisatz_haderach">Exclude</choice>
      <default>kwisatz_haderach</default>
      <initialValue>kwisatz_haderach</initialValue>
      <fieldForLabel>ASSET</fieldForLabel>
      <fieldForValue>ASSET</fieldForValue>
      <search>
        <query>| makeresults 
        | eval ASSET="$asset$" 
        | table ASSET</query>
      </search>
    </input>
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could try something like this

<input type="radio" token="vpn" searchWhenChanged="true">
      <label>Include VPN Logs</label>
      <choice value="kwisatz_haderach">Exclude</choice>
      <choice value="ASSET">ASSET</choice>
      <default>kwisatz_haderach</default>
      <initialValue>kwisatz_haderach</initialValue>
      <change>
            <condition value="ASSET">
                    <set token="vpntoken">$asset$</set>
            </condition>
            <condition value="kwisatz_haderach">
                    <set token="vpntoken">*</set>
            </condition>
      </change>
    </input>
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...