Splunk Search

How To Add a Search Box in Dashboard/Form?

skoelpin
SplunkTrust
SplunkTrust

I currently have a dashboard which shows the IP Address | Web Request | Browser | JSession Count I want to create a search box where the user can enter the IP Address into and Splunk will filter the results in the table based on that IP Address and show the Web Request | Browser | JSession Count

So far I currently have 3 panels at the top of my dashboard, one is a drop down for the time frame, the next one is a submit button, then a text box where the user can enter the IP Address. I have a text box, but when I hit the submit button, nothing happens. I suspect that it's not tied to the query properly so it doesn't know what to search. Can anyone help me fix this so I'm able to filter through the table displayed?

Here's my xml that I have so far

<form>
  <label>Click Fraud</label>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
        <search>
          <query>index=access OR index=main | transaction RTG_JSession | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename  count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"</query>
          <earliest></earliest>
          <latest></latest>
        </search>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=access OR index=main | transaction RTG_JSession | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename  count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
1 Solution

MuS
Legend

Hi skoelpin,

add a text field like this:

<input type="text" token="ip">
  <label>IP</label>
  <default>*</default>
  <prefix>'IP Address'="</prefix>
  <suffix>"</suffix>
</input>

and use the $ip$ token in your search like this:

<table>
  <search>
    <query>
    index=access OR index=main 
   | transaction RTG_JSession 
   | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain 
   | sort -count 
   | rename RTG_IPmain AS "IP Address" count AS "JSession Count"  "values(RTG_Browser)" AS "Browser" "values(RTG_WebRequest)" AS "Web Request" 
   | serach $ip$ 
   | table 'Web Request' Browser 'JSession Count'</query>
     <earliest>-15m</earliest>
     <latest>now</latest>
  </search>
</table>

And just a tip: don't use field names which contain a space 😉

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi skoelpin,

add a text field like this:

<input type="text" token="ip">
  <label>IP</label>
  <default>*</default>
  <prefix>'IP Address'="</prefix>
  <suffix>"</suffix>
</input>

and use the $ip$ token in your search like this:

<table>
  <search>
    <query>
    index=access OR index=main 
   | transaction RTG_JSession 
   | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain 
   | sort -count 
   | rename RTG_IPmain AS "IP Address" count AS "JSession Count"  "values(RTG_Browser)" AS "Browser" "values(RTG_WebRequest)" AS "Web Request" 
   | serach $ip$ 
   | table 'Web Request' Browser 'JSession Count'</query>
     <earliest>-15m</earliest>
     <latest>now</latest>
  </search>
</table>

And just a tip: don't use field names which contain a space 😉

Hope this helps ...

cheers, MuS

skoelpin
SplunkTrust
SplunkTrust

Thanks for the reply MuS.

I tried putting in what you recomended but it's not returning any results. Can you pick out what I'm doing wrong here?

<form>
   <label>Click Fraud</label>
   <fieldset autoRun="true" submitButton="true">
     <input type="text" token="ip">
   <label>IP</label>
   <default>*</default>
   <prefix>'IP Address'="</prefix>
   <suffix>"</suffix>
 </input>
   </fieldset>
   <row>
     <panel>
       <table>
   <search>
     <query>
     index=access OR index=main 
    | transaction RTG_JSession 
    | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain 
    | sort -count 
    | rename RTG_IPmain AS "IP Address" count AS "JSession Count"  "values(RTG_Browser)" AS "Browser" "values(RTG_WebRequest)" AS "Web Request" 
    | search $ip$ 
    | table 'Web Request' Browser 'JSession Count'</query>
      <earliest>-15m</earliest>
      <latest>now</latest>
   </search>
 </table>
     </panel>
   </row>
 </form>
0 Karma

MuS
Legend

first run the search command in the search bar and replace $ip$ with 'IP Address'="*" - do you get anything?

skoelpin
SplunkTrust
SplunkTrust

Yes I added a dashboard panel of the query I made previously which displays a table of IP Address | JSession Count | Browser | Web Request.. I have about 40 pages of results.. Now when I enter the IP Address (which is in the row 1) in the text box and hit the submit button, nothing happens. It appears like the search button doesn't have anything to search

** When I enter in an IP Address from the table, I see it's getting passed in the URL. So it's being read, but none of the results in the table are getting filtered (nothing changes in the table)

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I figured it out! I was using the alias "IP Address" instead of the extracted field RTG_IPmain.. The quotes also messed it up as it was calling it like this "RTG_IPmain=12.23.234.545" instead of this RTG_IPmain=12.23.234.545

Here's my source code if anyone else needs it in the future

<form>
  <label>Click Fraud</label>
  <fieldset autoRun="true" submitButton="true">
    <input type="text" token="ip">
      <label>Enter IP Address Here</label>
      <default>204.44.87.88</default>
      <prefix>RTG_IPmain=</prefix>
      <suffix></suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=access OR index=main | search $ip$ | transaction RTG_JSession  | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename  count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"  </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

woodcock
Esteemed Legend

You need to specify a token for your time field and then under your search replace -15m and now with $your_token.earliest$and $your_token.latest$.

skoelpin
SplunkTrust
SplunkTrust

I changed the source code up a bit and included the token in my input tag and referenced it in my search.. No results are coming back, but if I hard code the IP in the search then it will successfully filter the results in my table. What would you recommend I do so I can successfully enter an IP in the search box and have it filter the values in the table?

<form>
  <label>Click Fraud</label>
  <fieldset autoRun="true" submitButton="true">
    <input type="text" token="ip">
      <label>IP</label>
      <default>133.20.33.20</default>
      <prefix>'IP Address'="</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=access OR index=main | transaction RTG_JSession | where RTG_IPmain="$ip$" | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename  count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...