Solved: Re: Add search field based on value of another fie...

jsoderling · ‎03-21-2019

I have a dashboard panel with a radio input. If the user choose Selection A (4624), I need to add a field to the search. I've tried using eval with if in the search to add the new field, but it either errors out or never processes. Thanks.

    <input type="radio" token="priv_login" searchWhenChanged="true">
      <label>Login Status</label>
      <choice value="4624">Successful</choice>
      <choice value="4625">Failed</choice>
      <initialValue>4624</initialValue>
      <change>
        <condition>
          <set token="panellabel">$label$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>$panellabel$ Privileged Account Logins</title>
        <search>
          <query>index=con_wineventlog_security src="gord*" (Account_Name="*.SA" OR Account_Name="*.*.WA") EventCode=$priv_login$ | stats count(EventCode)</query>
          <earliest>$priv_agg_tok.earliest$</earliest>
          <latest>$priv_agg_tok.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>60m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>

DMohn · ‎03-21-2019

You can modify you input like this:

         <input type="radio" token="priv_login" searchWhenChanged="true">
           <label>Login Status</label>
           <choice value="4624">Successful</choice>
           <choice value="4625">Failed</choice>
           <initialValue>4624</initialValue>
           <change>
             <set token="panellabel">$label$</set>
             <condition value="4624">
               <set token="additional_search">yoursecondfield=something</set>
             </condition>
           </change>
         </input>

Then you can include $additional_search$ in your search query

View solution in original post

jsoderling · ‎03-26-2019

I was never able to pass a new field to the query using a separate token. Splunk was always waiting for data input. I solved the issue by using the radio button's statement to add the field (Logon_ID).

 <input type="radio" searchWhenChanged="true" token="priv_login_tok">
      <label>Login Status</label>
      <choice value="4624 Logon_ID!=0x0">Successful</choice>
      <choice value="4625">Failed</choice>
      <initialValue>4624</initialValue>

DMohn · ‎03-21-2019

You can modify you input like this:

         <input type="radio" token="priv_login" searchWhenChanged="true">
           <label>Login Status</label>
           <choice value="4624">Successful</choice>
           <choice value="4625">Failed</choice>
           <initialValue>4624</initialValue>
           <change>
             <set token="panellabel">$label$</set>
             <condition value="4624">
               <set token="additional_search">yoursecondfield=something</set>
             </condition>
           </change>
         </input>

Then you can include $additional_search$ in your search query

jsoderling · ‎03-21-2019

Thank you. This solution works as long, but I need to use "!=" with my new search field. The token is dropping the "!".

jsoderling · ‎03-25-2019

This solution somewhat works. When I change values, the new search field doesn't change.

DMohn · ‎03-25-2019

Okay, in that case you need to add a after

jsoderling · ‎03-25-2019

I think your comment didn't fully update.

DMohn · ‎03-21-2019

In that case, try using $tokenname|s$ to enable search encoding of token.

Add search field based on value of another field

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?