Dashboards & Visualizations

Is it possible to use several links with click.value2 and _raw?

Path Finder

Using Splunk 6.3.1. I noticed that click.value2 only works with one link whenever the same field is used (_raw in this case). I tried the following:

        <drilldown target="blank">
          <condition value="[[:alnum:]]({32}?|{40}?|{56}?">
            <link>https://www.virustotal.com/en/search/?query=$click.value2$</link>
          </condition>          
          <condition value="\d+?\.\d+?\.\d+?\.\d+?">
            <link>https://ipinfo.io/$click.value2$></link>
          </condition>
        </drilldown>

Is there any way to get around this? I could use the same link for hashes and IPs, but I would like to use different URLs if possible. Ideally, I would like there to be different URLs for searching hashes, IPs, and URLs. This is for a threat hunting dashboard that won't utilize predefined tables. I'm trying to add features to help automate hunting.

0 Karma
1 Solution

Champion

A drilldown element's condition only accepts the field as attribute, so with Simple XML, the drilldown behavior can only depend on which field is clicked. There are at least three ways you can do this however: You could either have two (or more) columns, each with their own drilldown, and do the logic in SPL, something like

| rex "(?<virustotal>\d{56}|\d{40}|\d{32})|(?<ip>\d+?\.\d+?\.\d+?\.\d+?)"

This would create two columns, reflecting the fact that there are different contents in each of the fields, and users won't be surprised if they're sent to different sites when they click different fields (you could of course not care about this). For a more elaborate Simple XML solution, you could use <eval> to do the logic on the dashboard and use the eval'd token for drilldown, something like this:

<dashboard>
  <label>Drilldown to different sites depending on field content</label>
  <row>
    <panel>
      <table>
        <title>Token content: $token$</title>
        <search>
          <query>| makeresults | eval foo="123.123.123.123;123456" | makemv delim=";" foo | mvexpand foo</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <eval token="token">if(match($click.value2$, "\\d+\\."), "ipinfo.io/".$click.value2$, "www.virustotal.com/en/search?query=".$click.value2$)</eval>
          <link target="_blank">https://$token|n$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Docs on the token filter |n here.
Finally, you can also do the logic and linking in js. If you've already got that on your dashboard, it's as simple as giving your table an id, getting the table with that id and adding a drilldown event listener. Hope one of these helps you out.

View solution in original post

Path Finder

I was able to get around this by creating an input that set a token based on conditional values.

      <input type="dropdown" token="url" searchWhenChanged="false">
        <label>Select URL Direction</label>
        <choice value="hash">VirusTotal</choice>
        <choice value="ip">IPInfo</choice>
        <default>hash</default>
        <change>
          <condition value="hash">
            <set token="url">virustotal.com/en/search/?query=</set>
          </condition>
          <condition value="ip">
            <set token="url">ipinfo.io/</set>
          </condition>
        </change>
      </input>

The input aided in changing the drilldown link, but had to prefix it with https:// or else Splunk would throw an error.

        <drilldown target="blank">
          <condition>
            <set token="test">$url|u$$click.value2$</set>
            <link>https://$test|u$</link>
          </condition>
        </drilldown>

This solution works, but the links get URL encoded. Tried adding < ! [ CDATA [ ] ] > and using the token filter $token_name|u$, but neither worked. The anonymized sample data looks like this:

  • 5/23/18 7:39:58.966 AM 1306043181.135030 JcL2rzS48o0Wmb08a 10.000.31.45 16.001.57.000 QNAswt1Y3tPbDg4X0 HTTP 0 MD5,YIR0 text/html - 0.000000 T F 303 303 0 0 F - 26101e1x451k0p1o19nrd0l2500321uc z66444o02e12h53235r25j1u6xmzz028230cb062 - - - -
  • 5/23/18 7:39:58.965 AM 1306043181.454101 QNAswt1Y3tPbDg4X0 16.001.57.000 08750 10.000.31.45 70 1 GET 52.001.121.00 / - 1.1 TxmYQJ/7.41.0 aundrea/7.11.0 HscAWU/3.4.10 dong/1.2.8 lavera/1.31 marilee/2.3 0 303 404 Not Found - - (empty) - - - - - - JcL2rzS48o0Wmb08a - text/html
  • 5/23/18 7:39:58.615 AM 1306043181.404021 Eo20Hm2gm0xW6uFKZe 16.001.57.000 16450 10.000.31.45 70 1 HEAD 52.001.121.00 / - 1.1 TxmYQJ/7.41.0 aundrea/7.11.0 HscAWU/3.4.10 dong/1.2.8 lavera/1.31 marilee/2.3 0 0 404 Not Found - - (empty) - - - - - - - - -

VirusTotal's click.value2 would consume the hash 26101e1x451k0p1o19nrd0l2500321uc and direct to https://virustotal.com%252fen%252fsearch%252f%253fquery%253d26101e1x451k0p1o19nrd0l2500321uc/ rather than virustotal.com/en/search/?query=26101e1x451k0p1o19nrd0l2500321uc

IPInfo's click.value2 would ingest the external IP address 52.001.121.00 and direct to https://ipinfo.io%252f52.001.121.00/ rather than ipinfo.io/52.001.121.00

If I can fix the URL encoding issue, then I would also add a click.value2 for URLs. It would direct to another link I had in mind.

0 Karma

Champion

I think the less specific question here is, "How can I link to different targets depending on a cell value?"

0 Karma

Path Finder

You can easily assign different targets to a single event if there are tokenized fields to work off of. This niche case seems harder because it requires assigning different click.value2 targets to raw events with undefined fields. It didn't matter if there were other conditions to follow. The target would always direct to the first link associated with the click.value2 based on previous trials. Maybe you can answer a semi-related question. Why does a query that was assigned through a text input process searches differently than actually running it within the search app? While searching through the search app, there are default fields that could be used as targets, but they are missing when trying to query off a text input.

0 Karma

Champion

I'm not 100% sure I understand the question. Differences between where a search is run can depend on app-specific knowledge objects, for example field extrations or lookups: if they are defined in the Searching & Reporting App with app-wide permissions, the resulting fields are not available to a search run in a different app.
However, using a text input to set the query of a search manager on a dashboard should not affect the search, for example compared to "hard-coding" it in Simple XML on the same dashboard. I could imagine effects from (un-)encoded tokens or something like that, but if that's not the case the searches will return the same results.
Another difference (not results-wise but it may appear so to you) is which fields are shown for a non-transforming search: entering a search string in the search view of any app runs it in smart mode, that means you'll see all the fields splunk can get its hands on. This does not at all change what you can do with the search (e.g. what fields you can then stats on), it only changes what fields splunk shows you in the search view. Running a search on a dashboard runs the search in fast mode, since there's no place to show the extracted fields. But as soon as you try to use one of the fields that are available (table, stats, ...), splunk will extract that field in fast mode.
If you have more questions now than before, feel free to ask a new question and maybe summon me there (@jeffland) 🙂

0 Karma

Path Finder

Thanks for the help @jeffland

0 Karma

Champion

A drilldown element's condition only accepts the field as attribute, so with Simple XML, the drilldown behavior can only depend on which field is clicked. There are at least three ways you can do this however: You could either have two (or more) columns, each with their own drilldown, and do the logic in SPL, something like

| rex "(?<virustotal>\d{56}|\d{40}|\d{32})|(?<ip>\d+?\.\d+?\.\d+?\.\d+?)"

This would create two columns, reflecting the fact that there are different contents in each of the fields, and users won't be surprised if they're sent to different sites when they click different fields (you could of course not care about this). For a more elaborate Simple XML solution, you could use <eval> to do the logic on the dashboard and use the eval'd token for drilldown, something like this:

<dashboard>
  <label>Drilldown to different sites depending on field content</label>
  <row>
    <panel>
      <table>
        <title>Token content: $token$</title>
        <search>
          <query>| makeresults | eval foo="123.123.123.123;123456" | makemv delim=";" foo | mvexpand foo</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <eval token="token">if(match($click.value2$, "\\d+\\."), "ipinfo.io/".$click.value2$, "www.virustotal.com/en/search?query=".$click.value2$)</eval>
          <link target="_blank">https://$token|n$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Docs on the token filter |n here.
Finally, you can also do the logic and linking in js. If you've already got that on your dashboard, it's as simple as giving your table an id, getting the table with that id and adding a drilldown event listener. Hope one of these helps you out.

View solution in original post

Path Finder

I accepted your answer because there was no way to get my solution to work without the URLs being encoded. I hard-coded a table for the click functions and created a user definable post search panel below that. That way, users can still view the raw events, have click functions, and still have the option for running stats, creating a table, etc. Why is there a period between "ipinfo.io/" and $click.value2$? Also, why does the second click.value2 have no dollar signs, but quotes?

0 Karma

Champion

My bad for mixing dollars and single quotes - I've edited that. They are functionally identical.
The period between ipinfo.io/" and the token is for concatenation: we're in the "true"-path of an if statement. We want a string, combined from the hardcoded url and whatever is in the token. Compare | eval op = ";" | eval concatenated_field = "string 1".op."string 2" which would make concatenated_field equal string 1;string 2.

0 Karma

Path Finder

Thanks for the explanation!

0 Karma

Path Finder

Thanks for the solution, but users would mostly view the events without adding tables or regex. I could hard code a solution, but the focus is more towards quick views. It's supposed to be a threat hunting panel to identify malicious events and pivot to other surrounding events that are related. I'm just adding features to help automate the process. Also, I'm using Splunk 6.3.1, so $token|n$ would not work. Finally, I currently don't have permissions to add JavaScript.

0 Karma

SplunkTrust
SplunkTrust

@Nextbeat If you are working with Raw Events you can show them as Event Table in your Dashboard and setup Event Workflow Action to launch different URLs as needed. Refer to the following documentation: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/SetupaGETworkflowaction

If this is not what you need and you want two or three URLs to open on every click, you might have to code the same using JavaScript.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

I have a post processing text input so that users can create tables, but they will probably want a quick view of the raw events. I already created a dashboard with tables of our most used indices. I may share them with this dashboard, but I'm trying to keep this one more focused. Unfortunately, I don't have access to add JavaScript. If only we could use JS within the XML.

0 Karma

SplunkTrust
SplunkTrust

Can you add some mock data for what virustotal and ipinfo URLs expect? If possible can you add sample raw events on which you have created regular expression based value match? Can an event have value for both virustotal and ipinfo at the same time or is it that some events for for virustotal and others are for ipinfo?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

The solution I posted below has sample raw data, but it didn't use regex. An event can have values for both VirusTotal and IPInfo.

0 Karma