Splunk Search

Hide a populated panel based on if text field is private or public IP address

Communicator

I have been struggling with this one for a while now with no end in sight.

I'm not sure if this is even possible, but I need to show or hide a panel based on if the text field input is a public or private ip address.

To accomplish this, I'm using a regex against the $ip$ token created by the text search. If the regex matches, I consider it to be private. if it doesn't match, I consider it a public address.

Here is a dashboard you can copy and paste into your Splunk instance that describes my data and what I'm trying to do:

<form>
  <search id="primary">
    <query>|makeresults count=10000
| eval a = random()%255
| eval b = random()%255
| eval c = random()%255
| eval d = random()%255
| eval ip = random()%4
| eval src_ip = if(ip = 0, "10.".a.".".b.".".c, if(ip=1, "172.".a.".".b.".".c, if(ip=2, "192.".a.".".b.".".c, d.".".a.".".b.".".c)))
| eval dest_ip = if(ip = 0, "10.".a.".".b.".".c, if(ip=1, "172.".a.".".b.".".c, if(ip=2, "192.".a.".".b.".".c, d.".".a.".".b.".".c)))
| eval dest_port = random()%65535
| streamstats count 
| eval src_ip = if(count > 500 AND count < 525, "192.168.1.1", src_ip)
| eval src_ip = if(count > 450 AND count < 475, "1.1.1.1", src_ip)
| fields - _time
| fields src_ip dest_ip dest_port 
`comment("above is just generating dataset")`

| eval hiddenfield = "$ip$"
| rex field=hiddenfield "(?<private_ip>192\.168\.[1-2]?[0-9][0-9]?\.[1-2]?[0-9][0-9]?|172\.[1-3][0-9]\.[1-2]?[0-9][0-9]?\.[1-2]?[0-9][0-9]?|10\.[1-2]?[0-9][0-9]?\.[1-2]?[0-9][0-9]?\.[1-2]?[0-9][0-9]?|192\.189\.2[0-1][056789]\.[1-2]?[0-9][0-9]?|[A-Za-z])"
| eval show_panel = if(isnotnull(private_ip), "1", null)
`comment("uses hiddenfield = "$ip$" token passed from main dashboard to find if the ip should be considered private")`</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <label>drilldown_troubleshoot</label>
  <fieldset submitButton="false">
    <input type="text" token="ip">
      <label>Investigate IP</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search base="primary">
          <query>| head 1
          | eval this = "This will always be populated. I need to show or hide this panel depending on if the IP is private or public"
          | table this</query>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>This will display information about any src_ip or dest_ip that matches the text search</title>
        <search base="primary">
          <query>| search src_ip=$ip$ OR dest_ip=$ip$
| table src_ip dest_ip dest_port</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

This is the direction I've been trying to take to make it work, but I can't get it to function properly:

<form>
  <search id="primary">
    <query>|makeresults count=10000
| eval a = random()%255
| eval b = random()%255
| eval c = random()%255
| eval d = random()%255
| eval ip = random()%4
| eval src_ip = if(ip = 0, "10.".a.".".b.".".c, if(ip=1, "172.".a.".".b.".".c, if(ip=2, "192.".a.".".b.".".c, d.".".a.".".b.".".c)))
| eval dest_ip = if(ip = 0, "10.".a.".".b.".".c, if(ip=1, "172.".a.".".b.".".c, if(ip=2, "192.".a.".".b.".".c, d.".".a.".".b.".".c)))
| eval dest_port = random()%65535
| streamstats count 
| eval src_ip = if(count > 500 AND count < 525, "192.168.1.1", src_ip)
| eval src_ip = if(count > 450 AND count < 475, "1.1.1.1", src_ip)
| fields - _time
| fields src_ip dest_ip dest_port 
`comment("above is just generating dataset")`

| eval hiddenfield = "$ip$"
| rex field=hiddenfield "(?<private_ip>192\.168\.[1-2]?[0-9][0-9]?\.[1-2]?[0-9][0-9]?|172\.[1-3][0-9]\.[1-2]?[0-9][0-9]?\.[1-2]?[0-9][0-9]?|10\.[1-2]?[0-9][0-9]?\.[1-2]?[0-9][0-9]?\.[1-2]?[0-9][0-9]?|192\.189\.2[0-1][056789]\.[1-2]?[0-9][0-9]?|[A-Za-z])"
| eval show_panel = if(isnotnull(private_ip), "1", "0")
`comment("uses hiddenfield = "$ip$" token passed from main dashboard to find if the ip should be considered private")`</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <label>drilldown_troubleshoot</label>
  <fieldset submitButton="false">
    <input type="text" token="ip">
      <label>Investigate IP</label>
    </input>
  </fieldset>
  <row>
    <panel depends="$panel$">
      <single>
        <search base="primary">
          <query>
          | head 1
          | eval this = "This will always be populated. I need to show or hide this panel depending on if the IP is private or public"
          | table this show_panel
</query>
          <progress>
            <set token="show">$result.show_panel$</set>
          </progress>
          <progress>
          <condition match="$show$ = 0">
            <set token="panel">true</set>
          </condition>
          <condition match="$show$ = 1">
            <set token="panel"></set>
          </condition>
          </progress>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>This will display information about any src_ip or dest_ip that matches the text search</title>
        <search base="primary">
          <query>| search src_ip=$ip$ OR dest_ip=$ip$
| table src_ip dest_ip dest_port</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Any assistance is appreciated!

Tags (5)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@rbechtold since the actual issue you want to solve seems to be identification of Private and Public IP Address. Once that is done all you need to do is set and unset token that can be used with depends and/or rejects to create show/hide panel based on the same.

Following is a run anywhere example which
1. Splits the IP in 4 parts
2. left pads with 0
3. Brings the four part together again and separate by decimal.
4. Now String based comparison can be performed for ranges defined for Private IP.

Refer to attached snippet

alt text

Following is the complete run anywhere Simple XML Dashboard code:

<form>
  <label>Validate Public Or Private IP</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <html>
        <div>
          <h3>Private IP Addresses</h3>
          <pre>
Class   Private IP Address Range    Subnet Mask
A      10.0.0.0 - 10.255.255.255    255.0.0.0
B    172.16.0.0 - 172.31.255.255    255.240.0.0
C   192.168.0.0 - 192.168.255.255   255.255.0.0
          </pre>
          <h4>Any IP Address outside above three ranges are <code>Public IP</code>. For example: <code>192.167.255.255</code></h4>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <input type="text" token="tokIP" searchWhenChanged="true">
        <label>Enter IP to Test (Private vs Public)</label>
        <default>192.168.0.0</default>
      </input>
      <table>
        <search>
          <query>| makeresults 
| eval ip="$tokIP$" 
| eval tempIP=ip 
| makemv tempIP delim="." 
| rex mode=sed field=tempIP "s/(\d+)/000\1/" 
| rex mode=sed field=tempIP "s/0*([0-9]{3})/\1/" 
| eval tempIP=mvjoin(tempIP,".") 
| eval isPrivate=case((tempIP>="010.000.000.000" AND tempIP<="010.255.255.255") OR (tempIP>="172.016.000.000" AND tempIP<="172.031.255.255") OR (tempIP>="192.168.000.000" AND tempIP<="192.168.255.255"),"true",true(),"false")
| fields - tempIP</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <progress>
            <unset token="tokShow"></unset>
          </progress>
          <done>
            <condition match="$job.resultCount$==0">
              <set token="tokIsPrivate">false</set>
              <unset token="tokShow"></unset>
            </condition>
            <condition>
              <set token="tokIsPrivate">$result.isPrivate$</set>
              <eval token="tokShow">case($result.isPrivate$=="true","true")</eval>
            </condition>
          </done>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row depends="$tokShow$">
    <panel>
      <html>
        <div>Show this panel only if Private IP Is Provided in Text box</div>
        <div>tokIsPrivate: $tokIsPrivate$</div>
        <div>tokShow: $tokShow$</div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@rbechtold since the actual issue you want to solve seems to be identification of Private and Public IP Address. Once that is done all you need to do is set and unset token that can be used with depends and/or rejects to create show/hide panel based on the same.

Following is a run anywhere example which
1. Splits the IP in 4 parts
2. left pads with 0
3. Brings the four part together again and separate by decimal.
4. Now String based comparison can be performed for ranges defined for Private IP.

Refer to attached snippet

alt text

Following is the complete run anywhere Simple XML Dashboard code:

<form>
  <label>Validate Public Or Private IP</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <html>
        <div>
          <h3>Private IP Addresses</h3>
          <pre>
Class   Private IP Address Range    Subnet Mask
A      10.0.0.0 - 10.255.255.255    255.0.0.0
B    172.16.0.0 - 172.31.255.255    255.240.0.0
C   192.168.0.0 - 192.168.255.255   255.255.0.0
          </pre>
          <h4>Any IP Address outside above three ranges are <code>Public IP</code>. For example: <code>192.167.255.255</code></h4>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <input type="text" token="tokIP" searchWhenChanged="true">
        <label>Enter IP to Test (Private vs Public)</label>
        <default>192.168.0.0</default>
      </input>
      <table>
        <search>
          <query>| makeresults 
| eval ip="$tokIP$" 
| eval tempIP=ip 
| makemv tempIP delim="." 
| rex mode=sed field=tempIP "s/(\d+)/000\1/" 
| rex mode=sed field=tempIP "s/0*([0-9]{3})/\1/" 
| eval tempIP=mvjoin(tempIP,".") 
| eval isPrivate=case((tempIP>="010.000.000.000" AND tempIP<="010.255.255.255") OR (tempIP>="172.016.000.000" AND tempIP<="172.031.255.255") OR (tempIP>="192.168.000.000" AND tempIP<="192.168.255.255"),"true",true(),"false")
| fields - tempIP</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <progress>
            <unset token="tokShow"></unset>
          </progress>
          <done>
            <condition match="$job.resultCount$==0">
              <set token="tokIsPrivate">false</set>
              <unset token="tokShow"></unset>
            </condition>
            <condition>
              <set token="tokIsPrivate">$result.isPrivate$</set>
              <eval token="tokShow">case($result.isPrivate$=="true","true")</eval>
            </condition>
          </done>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row depends="$tokShow$">
    <panel>
      <html>
        <div>Show this panel only if Private IP Is Provided in Text box</div>
        <div>tokIsPrivate: $tokIsPrivate$</div>
        <div>tokShow: $tokShow$</div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Communicator

You're a wizard.

I was able to play around with the sample dashboard you provided and apply it to my production dashboard, and it works perfectly.

I appreciate your time and the incredibly detailed response. Thank you for making something I thought might be impossible a possibility!

0 Karma