Dashboards & Visualizations

How to token in an eval sha256 function under a Simple XML drilldown condition

cjenkins666
New Member

I am trying to pass a url token from my dashboard search results, to VirusTotal, based on the parameters they require.
I need to pass the SHA256 value of the URL string, as well as the url string itself to Virustotal.

Here is the format needed by Virustotal and an example:
https://www.virustotal.com/gui/url/[sha256 of url]/detection?q=[url string]

Example: https://www.virustotal.com/gui/url/1a1008c3ddbeb9a1b57f0b358527a65597a00cf5fcd5b43297e1148f423dff57/...

In my drilldown condition I have this syntax for passing the row field value and transforming it to a sha256 value using eval statement.
Problem is the sha256() function does not appear to work, the value passed is the whole eval line?

      <condition field="Url">
        <eval token="sha_url_tok">sha256($row.Url$)</eval>
        <link target="_blank">https://www.virustotal.com/gui/home/url/$sha_url_tok$/detection?q=$row.Url$</link>
      </condition>

I have tried all these formats with no success:

sha256("\"row.Url"\")
sha256($row.Url$)
sha256("$row.Url$")
sha256('row.Url')
sha256('$row.Url$')
sha256(row.Url)

This is the output I get, where the sha256 function is passed as a whole statement along with the eval syntax, and the $row.Url$ token after the "detection?q=" is passed correctly. Only the output from sha256 function is not being processed correclty.

Output:
https://www.virustotal.com/gui/home/url/eval%20sha256(http%3A%2F%2Fbodelen.com%2Fapu.php%3Fzoneid%5C...

Any ides on how to get the sha256 function to work properly?

0 Karma
1 Solution

maityayan1996
Path Finder

virus

true

<panel depends="$bb$" rejects="$aa$">
  <table>
    <search>
      <query>| makeresults | eval Url="https://answers.splunk.com/answers/751606/how-to-token-in-an-eval-sha256-function-under-a-si.html" | table Url | eval sha=sha256(Url)</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <condition field="Url">
        <set token="aa"></set>
        <unset token="bb"></unset>
        <link target="_blank">https://www.virustotal.com/gui/url/$row.sha$</link>
      </condition>
    </drilldown>
  </table>
</panel>
 <panel depends="$aa$" rejects="$bb$">
  <table>
    <search>
      <query>| makeresults | eval Url="https://answers.splunk.com/answers/751606/how-to-token-in-an-eval-sha256-function-under-a-si.html" | table Url </query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <set token="bb"></set>
        <unset token="aa"></unset>
    </drilldown>

  </table>
</panel>

You can use two panels the one will be hidden at a time. Only the thing is you have to click two times to get the answer. You can use this logic.
Also, you have to use the init tag to set the "bb" token at the starting of the dashboard

View solution in original post

0 Karma

cjenkins666
New Member

This is what I wound up doing, as the calc for sha256 did not take that long per url.

| eval "sha_url_tok"=sha256(url)

Then passed the $sha_url_tok$ out to the Virustotal API.

0 Karma

maityayan1996
Path Finder

virus

true

<panel depends="$bb$" rejects="$aa$">
  <table>
    <search>
      <query>| makeresults | eval Url="https://answers.splunk.com/answers/751606/how-to-token-in-an-eval-sha256-function-under-a-si.html" | table Url | eval sha=sha256(Url)</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <condition field="Url">
        <set token="aa"></set>
        <unset token="bb"></unset>
        <link target="_blank">https://www.virustotal.com/gui/url/$row.sha$</link>
      </condition>
    </drilldown>
  </table>
</panel>
 <panel depends="$aa$" rejects="$bb$">
  <table>
    <search>
      <query>| makeresults | eval Url="https://answers.splunk.com/answers/751606/how-to-token-in-an-eval-sha256-function-under-a-si.html" | table Url </query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <set token="bb"></set>
        <unset token="aa"></unset>
    </drilldown>

  </table>
</panel>

You can use two panels the one will be hidden at a time. Only the thing is you have to click two times to get the answer. You can use this logic.
Also, you have to use the init tag to set the "bb" token at the starting of the dashboard

0 Karma

cjenkins666
New Member

I resolved this with a workaround, in my base search I added the eval statement to create a token that did the sha256 for each value that had a url. Then referenced that in my link to Virustotal.

| eval "sha_url_tok"=sha256(url)

This is not ideal, in that it does the sha256 on every url in my search results. What I want is to do it only when the url is clicked in the search results panel.

0 Karma

dmarling
Builder

you can hide the parameter from what is displayed by using <fields></fields> in your dashboard:

    <panel>
      <table>
        <search>
          <query>base search
          | eval "sha_url_tok"=sha256(url)
          | table Url sha_url_tok </query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <fields>["Url"]</fields>
        <drilldown>
         <condition field="Url">
         <link target="_blank">https://www.virustotal.com/gui/home/url/$sha_url_tok$/detection?q=$row.Url$</link>
       </condition>
        </drilldown>
      </table>
    </panel>
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...