- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am creating a dashboard, no matter which input can be used, but need is to paste multiple input into dashboard input and search them in a certain index.
for example:
I want to search comma delimited IP addresses such as
1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 --->input format is not a case, I can provide different formatted multiple data.
I want to paste these into input ( no matter which kind) and these will be formatted and created a search in the panel like below.
index=traffic src=1.1.1.1 OR src=2.2.2.2 OR src=3.3.3.3 OR src=4.4.4.4
| table _time src dst port
Please recommend how I can do it.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Can you please try this?
index=traffic [| makeresults | eval src="$tkn_src$" | eval src=split(src,",") | mvexpand src | table src] | table _time src dst port
My Sample Search :
index=traffic [| makeresults | eval src="1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4" | eval src=split(src,",") | mvexpand src | table src] | table _time src dst port
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Can you please try this?
index=traffic [| makeresults | eval src="$tkn_src$" | eval src=split(src,",") | mvexpand src | table src] | table _time src dst port
My Sample Search :
index=traffic [| makeresults | eval src="1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4" | eval src=split(src,",") | mvexpand src | table src] | table _time src dst port
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot, this is working. In the first try, I provided input with space after the comma, so that is why it was not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for quick answer, It takes first IP, but not second IP unfortunately. Any idea about the issue?
index=traffic
[| makeresults | eval src="$field1$" | eval src=split(src,",")
| mvexpand src | table src]
| table _time src dst port
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
It is working for me. Please refer my sample XML.
<form>
<label>mutiliput</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>field1</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" [| makeresults | eval date_second="$field1$" | eval date_second=split(date_second,",") | mvexpand date_second | table date_second] | stats count by date_second</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Still you to found issue then please share your sample XML as well.
Thanks
KV
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
same unfortunately, the first value is taken but not rest of them.
<form>
<label>mutiliput</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>field1</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="traffic" [| makeresults | eval src="$field1$" | eval src=split(src,",") | mvexpand src | table src] | table src, dst</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Can you please try this?
index="traffic" src=* [| makeresults | eval src="$field1$" | eval src=split(src,",") | mvexpand src | table src] | table src, ds
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""