Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to correctly implement tokens in a base search format ?

Manta_ray
Loves-to-Learn
‎08-05-2023 04:05 AM

Hey All, 

I'm trying to implement tokens in my base-search dashboard. But it seems like when I'm changing the token value it has no effect on the actual table I'm using. I'll be glad if someone may have an idea of what needs to be changed in order for it to work.

This is the Dashboard script: 
<form version="1.1" theme="light">
<label>Cloud One V2</label>
<search id="CloudOne_base">
<query>index=client* sourcetype=trendmicro:cloudone
| fields _time bv_src_ip, bv_src_dvc_hostname, bv_user, name, bv_vendor_reason ,bv_severity, target, bv_vendor_result</query>
<earliest>$_time.earliest$</earliest>
<latest>$_time.latest$</latest>
<refresh>2m</refresh>
<refreshType>delay</refreshType>
<done>
<set token="bv_src_ip">$ip$</set>
<set token="bv_src_dvc_hostname">$host$</set>
<set token="bv_user">$user$</set>
<set token="bv_severity">$severity$</set>
</done>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="_time">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="ip" searchWhenChanged="true">
<label>Source IP</label>
<choice value="*">*</choice>
<valuePrefix>bv_src_ip="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>bv_src_ip</fieldForLabel>
<fieldForValue>bv_src_ip</fieldForValue>
<search base="CloudOne_base">
<query>| fields bv_src_ip
| dedup bv_src_ip
| sort bv_src_ip</query>
</search>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="host" searchWhenChanged="true">
<label>Source Hostname</label>
<choice value="*">*</choice>
<default>*</default>
<valuePrefix>bv_src_dvc_hostname="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>bv_src_dvc_hostname</fieldForLabel>
<fieldForValue>bv_src_dvc_hostname</fieldForValue>
<search base="CloudOne_base">
<query>| stats count by bv_src_dvc_hostname
| dedup bv_src_dvc_hostname
| sort bv_src_dvc_hostname</query>
</search>
<initialValue>*</initialValue>
<prefix>(</prefix>
<suffix>)</suffix>
</input>
<input type="multiselect" token="user" searchWhenChanged="true">
<label>User</label>
<choice value="*">*</choice>
<default>*</default>
<valuePrefix>bv_user="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>bv_user</fieldForLabel>
<fieldForValue>bv_user</fieldForValue>
<search base="CloudOne_base">
<query>| stats count by bv_user
| dedup bv_user
| sort bv_user</query>
</search>
<initialValue>*</initialValue>
</input>
<input type="checkbox" token="severity" searchWhenChanged="true">
<label>Severity</label>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>bv_severity="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>bv_severity</fieldForLabel>
<fieldForValue>bv_severity</fieldForValue>
<search base="CloudOne_base">
<query>| stats count by bv_severity
| dedup bv_severity
| sort bv_severity</query>
</search>
<default>critical,high,informational,medium</default>
<initialValue>critical,high,informational,medium</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>All Traffic Data</title>
<table>
<search base="CloudOne_base">
<query>| where bv_src_ip!="-"
| table _time, bv_src_ip, bv_src_dvc_hostname, bv_user, name, bv_vendor_reason ,bv_severity, target, bv_vendor_result
| rename bv_src_ip as "Source IP", bv_src_dvc_hostname as "Source Host". name as "Alert_Name", bv_vendor_reason as "Description", bv_severity as "Severity" , bv_user as "User", bv_vendor_result as "Full Description", target as "Target Host"</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-05-2023 04:13 AM

Your base search doesn't appear to be dependent on any tokens (apart from time), nor does your panel search, so there is no reason to rerun the search when the inputs change.

0 Karma
Reply

Manta_ray
Loves-to-Learn
‎08-05-2023 04:49 AM

can you help and guide me on what to do differently in order to make it work? 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-05-2023 05:58 AM

First, you will have to explain what it is that you are trying to do?

0 Karma
Reply

Manta_ray
Loves-to-Learn
‎08-05-2023 12:33 PM

I'm trying to build a table that shows events from the "sourcetype=trendmicro:cloudone"
Therefore I've created a base search that pulls the fields I want to show in the table.
Then I created a search that searches from that base search data.  So far so good


Later I wanted to add tokens that can filter trow IP and Hostname.  the tokens seems to filter the data but the selection of a value in the token box has no effect on the table in self.
for example when I choose the token to filter "ip=xxx" it still shows all the other values such as  "ip=yyy" ....
My intention was to create a dashboard that can show all the data from the source type and can also be filtered with tokens to show specific data like, hostname="something", shows all the traffics about the specific hostname

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-05-2023 03:04 PM

The done handler for your base search was trying to set tokens using the field names with values from tokens which hadn't been defined (and to be honest were redundant for what you are trying to do).

You need to include a search in the table panel query that uses the tokens set by your inputs (one of which was a checkbox for some reason).

Try something like this

<form version="1.1" theme="light">
<label>Cloud One V2</label>
<search id="CloudOne_base">
<query>index=client* sourcetype=trendmicro:cloudone
| fields _time bv_src_ip, bv_src_dvc_hostname, bv_user, name, bv_vendor_reason ,bv_severity, target, bv_vendor_result</query>
<earliest>$_time.earliest$</earliest>
<latest>$_time.latest$</latest>
<refresh>2m</refresh>
<refreshType>delay</refreshType>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="_time">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="ip" searchWhenChanged="true">
<label>Source IP</label>
<choice value="*">*</choice>
<valuePrefix>bv_src_ip="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>bv_src_ip</fieldForLabel>
<fieldForValue>bv_src_ip</fieldForValue>
<search base="CloudOne_base">
<query>| fields bv_src_ip
| dedup bv_src_ip
| sort bv_src_ip</query>
</search>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="host" searchWhenChanged="true">
<label>Source Hostname</label>
<choice value="*">*</choice>
<default>*</default>
<valuePrefix>bv_src_dvc_hostname="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>bv_src_dvc_hostname</fieldForLabel>
<fieldForValue>bv_src_dvc_hostname</fieldForValue>
<search base="CloudOne_base">
<query>| stats count by bv_src_dvc_hostname
| dedup bv_src_dvc_hostname
| sort bv_src_dvc_hostname</query>
</search>
<initialValue>*</initialValue>
<prefix>(</prefix>
<suffix>)</suffix>
</input>
<input type="multiselect" token="user" searchWhenChanged="true">
<label>User</label>
<choice value="*">*</choice>
<default>*</default>
<valuePrefix>bv_user="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>bv_user</fieldForLabel>
<fieldForValue>bv_user</fieldForValue>
<search base="CloudOne_base">
<query>| stats count by bv_user
| dedup bv_user
| sort bv_user</query>
</search>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="severity" searchWhenChanged="true">
<label>Severity</label>
<choice value="*">*</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>bv_severity="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>bv_severity</fieldForLabel>
<fieldForValue>bv_severity</fieldForValue>
<search base="CloudOne_base">
<query>| stats count by bv_severity
| dedup bv_severity
| sort bv_severity</query>
</search>
</input>
</fieldset>
<row>
<panel>
<title>All Traffic Data</title>
<table>
<search base="CloudOne_base">
<query>| where bv_src_ip!="-"
| search $host$ $ip$ $user$ $severity$
| table _time, bv_src_ip, bv_src_dvc_hostname, bv_user, name, bv_vendor_reason ,bv_severity, target, bv_vendor_result
| rename bv_src_ip as "Source IP", bv_src_dvc_hostname as "Source Host". name as "Alert_Name", bv_vendor_reason as "Description", bv_severity as "Severity" , bv_user as "User", bv_vendor_result as "Full Description", target as "Target Host"</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Reply

Manta_ray
Loves-to-Learn
‎08-09-2023 02:16 AM

Thank You so much. you helped a lot

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top