Splunk Search

How to hide search string in the link for my dashboards?

C_Sparn
Communicator

Hello,
when I open my dashboards the search string is embedded in the link. How can I hide the string, that nobody can change the search?

Greetings

Tags (3)
0 Karma

guilmxm
SplunkTrust
SplunkTrust

In simple xml, you could do this:

You can hide the tool bar using css to prevent users from accessing to the search.

.dashboard-row2 .paxnel-footer {
display: none;
}

Then deactivate any drilldown in your view

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Sorry, out of idea 🙂

0 Karma

C_Sparn
Communicator

No sorry but does not help in my case.

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Maybe should you encrypt events instead of trying to protect the search string ?
It seems you could use a search string with masked (under custom patterns) arguments
Look at:
http://blogs.splunk.com/2010/01/25/encrypting-and-decrypting-fields/

Note sure it's relevant for your case but maybe a way for you

0 Karma

C_Sparn
Communicator

The problem is that the arguments are the security vulnerability. So if the arguments can be changed also the search macro is senseless. But thank you for the suggestion.

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi, You could use a macro which contains your search string, and the use it in your view.

You'll have to deal with arguments, but it will do the trick.

For example, the search:

index=_internal | stats count by host

Would be masked under the macro "foo", and you would call it with:

foo

0 Karma

C_Sparn
Communicator

That was a good idea guilmxm but I need a server side manipulation or encryption of the link. Are there any suggestions?

0 Karma

guilmxm
SplunkTrust
SplunkTrust

No, in simple xml.

Create a css file you put in $SPLUNK_HOME/etc/apps//appserver/static

Put your css code, and restart at least Splunk Web (./splunk restart splunkweb)

Then in your view, edit the xml code (using the integrated editor) and add the stylesheet after the form or dashboard pattern:

Refresh the page, sometimes it's may be a good idea to clean your browser cache.

0 Karma

C_Sparn
Communicator

Sorry I do not know where I can set this css code in simple xml! Do you mean advanced xml?

0 Karma

C_Sparn
Communicator

Hello is it possible to encrypt the link?

0 Karma

C_Sparn
Communicator



index = ticket sourcetype =log $new_time$ TicketStatus = "closed"|join Ticket[|inputlookup average.csv|rename tickets as Ticket]|stats count(Tickets) as count

I found the reason why the search string is embedded in the link. It is embedded if an input like $new_time$ is part of the search string. Sorry but I had to delete the rest of the dashboard xml. But I need the inputs without having the search string in the link.
Greetings

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you provide your dashboard xml?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...