Solved: Help with search query using multiple tokens and f...

ekmek4 · ‎03-07-2025

HI, im trying to create filter for network connections. But i cannot make work few tokens in the same time.

I want to create OR expression. In my head its like this:

1. search should work for if i put process_name in textfield

2. If process_name select from dropdown along with textfield - search for both processes. (process_name IN ("$token1$","$token2$"))

3. If First two are not chosen, but User from User dropdown selected => Filter by User.

4. If one or two process_name tokens used and User selected - filter by chosen proces_names and then by user.

I have $procname2$ token for text field and $procname2$ for dropdown of processes.

Both process_name tokens work if dropdown is selected, then search will use both dropdown token and text token. User token doesn't work at all

Query for search:

index=sysmon_wec AND (EventCode=22 OR event_id=22) AND ((process_name IN ("$procname$", "$procname2$") OR User IN ("$user$")) )| makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup process_name|head 100| table process_name,User,ComputerName,QueryName,QueryResults

Here is a full code of my dashboard

<form version="1.1" theme="light">
<label>Find Network connections(DNS)</label>
<fieldset submitButton="false">
<input type="text" token="procname2">
<label>Enter procname:eg.opera.exe</label>
<default></default>
</input>
<input type="dropdown" token="procname" searchWhenChanged="true">
<label>Procname</label>
<fieldForLabel>process_name</fieldForLabel>
<fieldForValue>process_name</fieldForValue>
<search>
<query>index=sysmon_wec AND (EventCode=22 OR event_id=22) |dedup process_name|head 1000|table process_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="User" searchWhenChanged="true">
<label>User</label>
<fieldForLabel>User</fieldForLabel>
<fieldForValue>User</fieldForValue>
<search>
<query>index=sysmon_wec AND (EventCode=22 OR event_id=22) | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup User|head 1000|table User</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<title>process_name</title>
<search>
<query>index=sysmon_wec AND (EventCode=22 OR event_id=22) AND ((process_name IN ("$procname$", "$procname2$") OR User IN ("$user$")) )| makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup process_name|head 100| table process_name,User,ComputerName,QueryName,QueryResults</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

ekmek4 · ‎03-11-2025

I found a right way, but i dont know how to reset search for another try.

  index=sysmon_wec AND (EventCode=22 OR event_id=22)
                        | makemv tokenizer="([^\r\n]+)(\r\n)?" User
                        | mvexpand User
                        | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE")
                        | eval proc_filter=if(len("$procname$") > 0 , 1, 0)  
                        | eval user_filter=if(len("$user$") > 5, 1, 0)
                        | where (proc_filter=1 AND process_name="$procname$" AND user_filter=0) OR (proc_filter=1 AND process_name="$procname$" AND User="$user$")
                       
                        | head 100
                        | table process_name, User, ComputerName, QueryName, QueryResults

View solution in original post

ekmek4 · ‎03-10-2025

I decided to use 2 tokens instead of 3. But how to use token2 (from users dropdown) only if it was chosen?

 index=sysmon_wec AND (EventCode=22 OR event_id=22) AND process_name="$procname$"
                        | makemv tokenizer="([^\r\n]+)(\r\n)?" User
                        | mvexpand User
                        | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE")
                       
                        | head 100
                        | table process_name, User, ComputerName, QueryName, QueryResults

But add something like this on splunk language :

| if isnotnull(User) then User="$user$"

livehybrid · ‎03-07-2025

Hi @ekmek4

To achieve this type of filtering logic in your dashboard, you need to adjust the search query to handle the different combinations of inputs correctly. The main issue is ensuring that the query logic reflects the conditions you described. Here's how you can modify your query to achieve this:

Check if procname or procname2 is set: If either is set, filter by those.
Check if User is set: If User is set and no process names are set, filter by User.
Combine both conditions: If both process names and User are set, filter by both.

Here's a revised version of your dashboard code with the updated query logic:

<form version="1.1" theme="light">
    <label>Find Network connections(DNS)</label>
    <fieldset submitButton="false">
        <input type="text" token="procname2">
            <label>Enter procname: eg. opera.exe</label>
            <default></default>
        </input>
        <input type="dropdown" token="procname" searchWhenChanged="true">
            <label>Procname</label>
            <fieldForLabel>process_name</fieldForLabel>
            <fieldForValue>process_name</fieldForValue>
            <search>
                <query>index=sysmon_wec AND (EventCode=22 OR event_id=22) | dedup process_name | head 1000 | table process_name</query>
                <earliest>-24h@h</earliest>
                <latest>now</latest>
            </search>
        </input>
        <input type="dropdown" token="user" searchWhenChanged="true">
            <label>User</label>
            <fieldForLabel>User</fieldForLabel>
            <fieldForValue>User</fieldForValue>
            <search>
                <query>index=sysmon_wec AND (EventCode=22 OR event_id=22) | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") | dedup User | head 1000 | table User</query>
                <earliest>-24h@h</earliest>
                <latest>now</latest>
            </search>
        </input>
    </fieldset>
    <row>
        <panel>
            <table>
                <title>process_name</title>
                <search>
                    <query>
                        index=sysmon_wec AND (EventCode=22 OR event_id=22)
                        | eval proc_filter=if(len("$procname$") > 0 OR len("$procname2$") > 0, 1, 0)
                        | eval user_filter=if(len("$user$") > 0, 1, 0)
                        | where (proc_filter=1 AND process_name IN ("$procname$", "$procname2$")) OR (user_filter=1 AND User="$user$")
                        | makemv tokenizer="([^\r\n]+)(\r\n)?" User
                        | mvexpand User
                        | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE")
                        | dedup process_name
                        | head 100
                        | table process_name, User, ComputerName, QueryName, QueryResults
                    </query>
                    <earliest>-24h@h</earliest>
                    <latest>now</latest>
                </search>
                <option name="drilldown">none</option>
            </table>
        </panel>
    </row>
</form>

Key Changes:

proc_filter and user_filter: These are temporary fields used to determine if the process name or user filters should be applied.
where clause: The logic now checks if either the process name or user filter should be applied, and applies them accordingly.
Token Names: Ensure that the token names in your query match those defined in your inputs ($procname$, $procname2$, and $user$).
This setup should allow you to filter based on the conditions you described. If both process names and user are selected, it will filter by both. If only one is selected, it will filter by that one.
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will

ekmek4 · ‎03-11-2025

I found a right way, but i dont know how to reset search for another try.

  index=sysmon_wec AND (EventCode=22 OR event_id=22)
                        | makemv tokenizer="([^\r\n]+)(\r\n)?" User
                        | mvexpand User
                        | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE")
                        | eval proc_filter=if(len("$procname$") > 0 , 1, 0)  
                        | eval user_filter=if(len("$user$") > 5, 1, 0)
                        | where (proc_filter=1 AND process_name="$procname$" AND user_filter=0) OR (proc_filter=1 AND process_name="$procname$" AND User="$user$")
                       
                        | head 100
                        | table process_name, User, ComputerName, QueryName, QueryResults

ekmek4 · ‎03-10-2025

This looks as working example, but for some reason it doesn't work

No search when textbox changed or dropdown. Filtering only if im choosing User from dropdown

Help with search query using multiple tokens and filters

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform