Solved: Re: How to highlight values from the iplocation co...

jon_d_irish_ctr · ‎05-10-2018

I want to setup a search that determines which countries have connected to my network over the past "x" hours, and then I want to highlight the table line if a specified country shows up. Here is the search I have so far:

sourcetype=cisco:asa dest_ip="X.X.0.0/16" NOT "Failover primary closed" | iplocation src_ip | stats count by Country | sort - count | dedup Country | highlight "CountryName"

I get the table, but the highlighting never happens even if I pick a country that shows up in the table. Last, I would like for this search to trigger an alert and email the alert if the specified country is in the table.

Thanks!
Jon

niketn · ‎05-10-2018

@jon.d.irish.ctr, highlight would work only with Raw Events List not with transforming commands. You probably need a JavaScript Extension based solution to highlight specific text in your Table. Refer to one of following answers where TextBox filter is applied and highlighted.

https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

xpac · ‎05-10-2018

Just to mention it, there's no need to | dedup Country, cause after a stats by Country there won't be any duplicates for that field ever. To setup an alert, add a filter for your relevant countries (like | where Country="yourcountry"), and then just have the alert fire when there is more than 0 results. 🙂

wrangler2x · ‎05-10-2018

Despite being in the documentation (which I've never noticed before) it does not appear to work at all. I just tried a very simple case that matches the sample search and... nothing. Sounds like you should report this as a bug.

http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Highlight[link text]1

niketn · ‎05-10-2018

@wrangler2x highlight works with Raw Events when you display the same as list. It will not work with Transforming command like stats, table etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

wrangler2x · ‎05-10-2018

Oh, I see. Yes, when I click the Events tab I do see the highlighting.

niketn · ‎05-10-2018

@jon.d.irish.ctr, highlight would work only with Raw Events List not with transforming commands. You probably need a JavaScript Extension based solution to highlight specific text in your Table. Refer to one of following answers where TextBox filter is applied and highlighted.

https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jon_d_irish_ctr · ‎05-10-2018

Thanks for the suggestion, I will give this a shot.

jon_d_irish_ctr · ‎05-10-2018

Here is another thought. What is I wrote out the results of the iplookup command to a lookup file via the outputlookup command. Next, if I do a search against that lookup file with the lookup command, would I then be able to use the highlight command?

How to highlight values from the iplocation command?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?