Security

how to automate requests for it to be adapted automatically to different log file?

pierra56
Explorer

For exemple
this request:
sourcetype="the_log_file" | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5

I want to use another file but without rewriting any.

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Updated
Try this

your search to retrieve list of sourcetype | map maxsearches=100 search="your search string with using $sourcetype" as replacement for values.

e.g.

index=* | stats count by sourcetype | table sourcetype | map maxsearches=100 search="index=* sourcetype=\"$sourcetype$\"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5"

Old
You can create a dashboard with a dropdown or textbox to give input sourcetype, and then show the result in one panel. something like this

<form>
  <label>Dynamic Source</label>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[index=* earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
      </populatingSearch>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Top 5 source</title>
      <searchString>index=* sourcetype="$sourcetype$"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5</searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</form>

View solution in original post

somesoni2
Revered Legend

Updated
Try this

your search to retrieve list of sourcetype | map maxsearches=100 search="your search string with using $sourcetype" as replacement for values.

e.g.

index=* | stats count by sourcetype | table sourcetype | map maxsearches=100 search="index=* sourcetype=\"$sourcetype$\"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5"

Old
You can create a dashboard with a dropdown or textbox to give input sourcetype, and then show the result in one panel. something like this

<form>
  <label>Dynamic Source</label>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[index=* earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
      </populatingSearch>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Top 5 source</title>
      <searchString>index=* sourcetype="$sourcetype$"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5</searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</form>

pierra56
Explorer

Thanks you !! It's work!!

0 Karma

somesoni2
Revered Legend

Try this as populatingSearch

|metadata type=sourcetypes index=* | stats count by sourcetype

pierra56
Explorer

HELP!!
I have no choice in my dropdown list. my sourcetype are not there.

0 Karma

pierra56
Explorer

Again thank you for your help.
But my dropdown list is empty. There is just all and not my log files.

it comes from the token?

0 Karma

somesoni2
Revered Legend

I may have misunderstood the requirement here. Correct me if I am wrong, what you need is a single query which will generate results (using the query mentioned in the question itself) for each sourcetype without typing the whole query multiple times for each sourcetype. If yes then try the updated answer.

0 Karma

pierra56
Explorer

hum...


All


<![CDATA[index= earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>

I don't understand. how sourcetypes are incremented here. Because I do not see anything changing.

0 Karma

somesoni2
Revered Legend

This is just a sample layout of a dashboard. Please update the queries as per your environment. (in put query which will get you list of sources [or replace it by a textbox if you want to provide data manually], and in put the actual query with sourcetype being parameterized)

0 Karma

pierra56
Explorer

Thx for your response.

But your script doesn't work. The result is "This dashboard has no panels." it is because he does not find the "sourcetype" ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...