Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Tokens not propagating values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tokens not propagating values
I have multiple Input text boxes with comma separated input text values.
below is my requirement.
Box1 have domain names e.g. (www.abc.com, www.xyz.com)
Box2 have multiple MD5 hashes ( 'sdfsdfsdfsdf6546545645646','6564654654564654654564sd')
Now I want that If i put comma seperated input to Box1 test box, it should open a search panel and show me the results.
and If copy MD5 comma seperated hashes to Box2 text box, then the panel1 should show me the results from Box2.
and IF THERE IS NO INPUT AT ALL IN BOTH INPUTS BOXES THEN THE SEARCH PANEL ALSO SHOULD DISAPPEAR AND NO SEARCH SHOULD RUN IN BACKGROUND
<form>
<label>Threat_Intelligance</label>
<description>Include a multiselect input.</description>
<!-- Independent search to set the required filter from comma separated value in text box -->
<!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") -->
<search>
<query>| makeresults
| fields - _time
| eval iocFilter=$ioc1|s$
| eval md5Filter=$md5|s$
| eval iocFilter="url IN (\"".replace(iocFilter,",","\",\"")."\")"
| eval md5Filter="process_md5 IN (\"".replace(md5Filter,",","\",\"")."\")"
</query>
<done>
<set token="tokIOCFilter">$result.iocFilter$</set>
<set token="tokmd5Filter">$result.md5Filter$</set>
</done>
</search>
<fieldset autoRun="true" submitButton="true">
<input type="text" token="ioc1" searchWhenChanged="true">
<label>URL</label>
<change>
<condition>
<set token="tokIOCFilter">$result.iocFilter$</set>
</condition>
</change>
</input>
<input type="text" token="md5">
<label>md5</label>
<change>
<condition>
<set token="tokmd5Filter">$result.md5Filter$</set>
</condition>
</change>
</input>
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=proxy OR index=edr ($tokIOCFilter$ OR $tokmd5Filter$)</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are doing waaaaaaaaaaaaaay too much work. First of all, I think your modification from OR to IN is silly, and that was the beginning of all of your problems. But presuming that you have some need for this, I have made that work (again, without that, your dashboard would have been brain-dead simple and worked the on the first try):
<form>
<label>Threat_Intelligance</label>
<description>Include a multiselect input.</description>
<fieldset autoRun="true" submitButton="true">
<input type="text" token="ioc1">
<label>URL</label>
<change>
<condition match="len($value$)==0">
<unset token="ioc1"></unset>
</condition>
<condition>
<eval token="ioc1">"url IN (\"" . replace($value$, ",", "\", \"") . "\")"</eval>
</condition>
</change>
</input>
<input type="text" token="md5">
<label>md5</label>
<change>
<condition match="len($value$)==0">
<unset token="md5"></unset>
</condition>
<condition>
<eval token="md5">"process_md5 IN (\"" . replace($value$, ",", "\", \"") . "\")"</eval>
</condition>
</change>
</input>
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row depends="$ioc1$ $md5$">
<panel>
<title>ioc1="$ioc1$", md5="$md5$"</title>
<event>
<search>
<query>index=proxy OR index=edr ($ioc1$ OR $md5$)</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>
Personally, I would ditch the Submit button and set everything else to searchWhenChanged=true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi wood,
that's an interesting approach,
I found that when I give input in bot text boxes then results appear, whereas I need one input at one time.
i believe below parameters are causing this.
<row depends="$ioc1$ $md5$">
HOW CAN WE FIX THIS.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@riqbal47010 Can you try the following steps one by one
1. Add searchWhenChanged="true" to md5 text box.
2. Remove Submit Button i.e. submitButton="false"
If the token behavior is still not as expected please let us know which scenario does not work (expected behavior vs actual behavior).
Also refer to one of my older answers to understand Default and Submitted token models in Splunk: https://answers.splunk.com/answers/742451/searchwhenchangedfalse-not-honored-1.html
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works at last.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
