Security

how to automate requests for it to be adapted automatically to different log file?

pierra56
Explorer

For exemple
this request:
sourcetype="the_log_file" | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5

I want to use another file but without rewriting any.

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Updated
Try this

your search to retrieve list of sourcetype | map maxsearches=100 search="your search string with using $sourcetype" as replacement for values.

e.g.

index=* | stats count by sourcetype | table sourcetype | map maxsearches=100 search="index=* sourcetype=\"$sourcetype$\"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5"

Old
You can create a dashboard with a dropdown or textbox to give input sourcetype, and then show the result in one panel. something like this

<form>
  <label>Dynamic Source</label>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[index=* earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
      </populatingSearch>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Top 5 source</title>
      <searchString>index=* sourcetype="$sourcetype$"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5</searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</form>

View solution in original post

somesoni2
Revered Legend

Updated
Try this

your search to retrieve list of sourcetype | map maxsearches=100 search="your search string with using $sourcetype" as replacement for values.

e.g.

index=* | stats count by sourcetype | table sourcetype | map maxsearches=100 search="index=* sourcetype=\"$sourcetype$\"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5"

Old
You can create a dashboard with a dropdown or textbox to give input sourcetype, and then show the result in one panel. something like this

<form>
  <label>Dynamic Source</label>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[index=* earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
      </populatingSearch>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Top 5 source</title>
      <searchString>index=* sourcetype="$sourcetype$"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5</searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</form>

pierra56
Explorer

Thanks you !! It's work!!

0 Karma

somesoni2
Revered Legend

Try this as populatingSearch

|metadata type=sourcetypes index=* | stats count by sourcetype

pierra56
Explorer

HELP!!
I have no choice in my dropdown list. my sourcetype are not there.

0 Karma

pierra56
Explorer

Again thank you for your help.
But my dropdown list is empty. There is just all and not my log files.

it comes from the token?

0 Karma

somesoni2
Revered Legend

I may have misunderstood the requirement here. Correct me if I am wrong, what you need is a single query which will generate results (using the query mentioned in the question itself) for each sourcetype without typing the whole query multiple times for each sourcetype. If yes then try the updated answer.

0 Karma

pierra56
Explorer

hum...


All


<![CDATA[index= earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>

I don't understand. how sourcetypes are incremented here. Because I do not see anything changing.

0 Karma

somesoni2
Revered Legend

This is just a sample layout of a dashboard. Please update the queries as per your environment. (in put query which will get you list of sources [or replace it by a textbox if you want to provide data manually], and in put the actual query with sourcetype being parameterized)

0 Karma

pierra56
Explorer

Thx for your response.

But your script doesn't work. The result is "This dashboard has no panels." it is because he does not find the "sourcetype" ?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...