Dashboards & Visualizations

How to token in an eval sha256 function under a Simple XML drilldown condition

cjenkins666
New Member

I am trying to pass a url token from my dashboard search results, to VirusTotal, based on the parameters they require.
I need to pass the SHA256 value of the URL string, as well as the url string itself to Virustotal.

Here is the format needed by Virustotal and an example:
https://www.virustotal.com/gui/url/[sha256 of url]/detection?q=[url string]

Example: https://www.virustotal.com/gui/url/1a1008c3ddbeb9a1b57f0b358527a65597a00cf5fcd5b43297e1148f423dff57/...

In my drilldown condition I have this syntax for passing the row field value and transforming it to a sha256 value using eval statement.
Problem is the sha256() function does not appear to work, the value passed is the whole eval line?

      <condition field="Url">
        <eval token="sha_url_tok">sha256($row.Url$)</eval>
        <link target="_blank">https://www.virustotal.com/gui/home/url/$sha_url_tok$/detection?q=$row.Url$</link>
      </condition>

I have tried all these formats with no success:

sha256("\"row.Url"\")
sha256($row.Url$)
sha256("$row.Url$")
sha256('row.Url')
sha256('$row.Url$')
sha256(row.Url)

This is the output I get, where the sha256 function is passed as a whole statement along with the eval syntax, and the $row.Url$ token after the "detection?q=" is passed correctly. Only the output from sha256 function is not being processed correclty.

Output:
https://www.virustotal.com/gui/home/url/eval%20sha256(http%3A%2F%2Fbodelen.com%2Fapu.php%3Fzoneid%5C...

Any ides on how to get the sha256 function to work properly?

0 Karma
1 Solution

maityayan1996
Path Finder

virus

true

<panel depends="$bb$" rejects="$aa$">
  <table>
    <search>
      <query>| makeresults | eval Url="https://answers.splunk.com/answers/751606/how-to-token-in-an-eval-sha256-function-under-a-si.html" | table Url | eval sha=sha256(Url)</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <condition field="Url">
        <set token="aa"></set>
        <unset token="bb"></unset>
        <link target="_blank">https://www.virustotal.com/gui/url/$row.sha$</link>
      </condition>
    </drilldown>
  </table>
</panel>
 <panel depends="$aa$" rejects="$bb$">
  <table>
    <search>
      <query>| makeresults | eval Url="https://answers.splunk.com/answers/751606/how-to-token-in-an-eval-sha256-function-under-a-si.html" | table Url </query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <set token="bb"></set>
        <unset token="aa"></unset>
    </drilldown>

  </table>
</panel>

You can use two panels the one will be hidden at a time. Only the thing is you have to click two times to get the answer. You can use this logic.
Also, you have to use the init tag to set the "bb" token at the starting of the dashboard

View solution in original post

0 Karma

cjenkins666
New Member

This is what I wound up doing, as the calc for sha256 did not take that long per url.

| eval "sha_url_tok"=sha256(url)

Then passed the $sha_url_tok$ out to the Virustotal API.

0 Karma

maityayan1996
Path Finder

virus

true

<panel depends="$bb$" rejects="$aa$">
  <table>
    <search>
      <query>| makeresults | eval Url="https://answers.splunk.com/answers/751606/how-to-token-in-an-eval-sha256-function-under-a-si.html" | table Url | eval sha=sha256(Url)</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <condition field="Url">
        <set token="aa"></set>
        <unset token="bb"></unset>
        <link target="_blank">https://www.virustotal.com/gui/url/$row.sha$</link>
      </condition>
    </drilldown>
  </table>
</panel>
 <panel depends="$aa$" rejects="$bb$">
  <table>
    <search>
      <query>| makeresults | eval Url="https://answers.splunk.com/answers/751606/how-to-token-in-an-eval-sha256-function-under-a-si.html" | table Url </query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <set token="bb"></set>
        <unset token="aa"></unset>
    </drilldown>

  </table>
</panel>

You can use two panels the one will be hidden at a time. Only the thing is you have to click two times to get the answer. You can use this logic.
Also, you have to use the init tag to set the "bb" token at the starting of the dashboard

0 Karma

cjenkins666
New Member

I resolved this with a workaround, in my base search I added the eval statement to create a token that did the sha256 for each value that had a url. Then referenced that in my link to Virustotal.

| eval "sha_url_tok"=sha256(url)

This is not ideal, in that it does the sha256 on every url in my search results. What I want is to do it only when the url is clicked in the search results panel.

0 Karma

dmarling
Builder

you can hide the parameter from what is displayed by using <fields></fields> in your dashboard:

    <panel>
      <table>
        <search>
          <query>base search
          | eval "sha_url_tok"=sha256(url)
          | table Url sha_url_tok </query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <fields>["Url"]</fields>
        <drilldown>
         <condition field="Url">
         <link target="_blank">https://www.virustotal.com/gui/home/url/$sha_url_tok$/detection?q=$row.Url$</link>
       </condition>
        </drilldown>
      </table>
    </panel>
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...