Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to highlight values from the iplocation command?

jon_d_irish_ctr
Path Finder
‎05-10-2018 08:46 AM

I want to setup a search that determines which countries have connected to my network over the past "x" hours, and then I want to highlight the table line if a specified country shows up. Here is the search I have so far:

sourcetype=cisco:asa dest_ip="X.X.0.0/16" NOT "Failover primary closed" | iplocation src_ip | stats count by Country | sort - count | dedup Country | highlight "CountryName"

I get the table, but the highlighting never happens even if I pick a country that shows up in the table. Last, I would like for this search to trigger an alert and email the alert if the specified country is in the table.

Thanks!
Jon

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-10-2018 10:04 AM

@jon.d.irish.ctr, highlight would work only with Raw Events List not with transforming commands. You probably need a JavaScript Extension based solution to highlight specific text in your Table. Refer to one of following answers where TextBox filter is applied and highlighted.

https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-10-2018 04:05 PM

Just to mention it, there's no need to | dedup Country, cause after a stats by Country there won't be any duplicates for that field ever. To setup an alert, add a filter for your relevant countries (like | where Country="yourcountry"), and then just have the alert fire when there is more than 0 results. 🙂

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎05-10-2018 10:19 AM

Despite being in the documentation (which I've never noticed before) it does not appear to work at all. I just tried a very simple case that matches the sample search and... nothing. Sounds like you should report this as a bug.

http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Highlight[link text]1

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-10-2018 10:36 AM

@wrangler2x highlight works with Raw Events when you display the same as list. It will not work with Transforming command like stats, table etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎05-10-2018 11:16 AM

Oh, I see. Yes, when I click the Events tab I do see the highlighting.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-10-2018 10:04 AM

@jon.d.irish.ctr, highlight would work only with Raw Events List not with transforming commands. You probably need a JavaScript Extension based solution to highlight specific text in your Table. Refer to one of following answers where TextBox filter is applied and highlighted.

https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jon_d_irish_ctr
Path Finder
‎05-10-2018 10:23 AM

Thanks for the suggestion, I will give this a shot.

0 Karma
Reply
Solved! Jump to solution

jon_d_irish_ctr
Path Finder
‎05-10-2018 11:06 AM

Here is another thought. What is I wrote out the results of the iplookup command to a lookup file via the outputlookup command. Next, if I do a search against that lookup file with the lookup command, would I then be able to use the highlight command?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...