Splunk Search

How to pass a mutliple values into a Token?

Tomas_K
Explorer

Hi all,

Is it possible pass multiple value to a Token from one search to another? 

This is what I try to do.

First Panel search:

Index="some_DHCP" | where src_hostname like "1-computer" | search src_ip=* | dedup src_ip | table src_hostname src_ip

src_hostname     src_ip
1-computer          10.0.0.1
1-computer          10.0.0.2

From this search I might have one or more src_ip, depending on timespan, and want to use them both in next search in an other Panel.

So far I have done like this to pass to next serach:

<done>
<set token="IP_answ">$result.src_ip$</set>
</done>

Second Panel search:

Index="some_FW" src_ip="$IP_answ$" dest_ip=* | table src_ip dest_ip

As it is now I will only have 1 IP (latest) to pass to the next Panel search "IP_answ". And I can understand that, but I can not find any solution when I searching the web or this community how to solve this with multiple values and Append the second IP to the second Panel.

Any suggestions?

Thanks in advance and regards,

/Tomas

Labels (1)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You can only pass values from the first row of results (unless you want to use drilldowns) so you would have to rearrange your search query to include all the values you want to pass in the first row. Having said that, this doesn't mean that these have to be visible in the table. These can be hidden using CSS.

View solution in original post

Tomas_K
Explorer

Hi

@bowesmana
@ITWhisperer

Thank you for your answers, time and effort.

I kind of understood that my way of handling the answer would not work when read the dokumentation, but surely hoped for a way to pass to an Array or something like that.

So I have to do an other search for that IP or IP's for now. No big deal.

Hidden tabel is something I will look into of course.

Have a nice day!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You could have this search as a base search and then have another hidden panel that uses this search as a base search which just aggregates all the IPs to a single value and then a done statement that sets the token.

See this example, which has 3 tables. 

First table does your search 1 - it will get back one or more hosts

The table below it shows the host names as a search filter for the hosts found in table 1 and finally the 3rd table will use the search filter from table 2 to restrict its search.

To hide table 2, you would then use

<table depends="$hidden$">

<dashboard>
  <label>example</label>
  <row>
    <panel>
      <table>
        <title>Search of _internal index for hosts</title>
        <search id="base">
          <query>index=_internal | stats count by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
      <table>
        <title>This panel would normally be hidded by setting depends attribute on table</title>
        <search base="base">
          <query>| stats values(host) as host
          | format | rename search as host
          </query>
          <done>
            <set token="host_filter">$result.host$</set>
          </done>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Search of _audit index for hosts found in _internal index</title>
        <search>
          <query>index=_audit $host_filter$ | stats count by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

This example assumes you can see the _internal and _audit indexes, but I hope you get the picture.

 

ITWhisperer
SplunkTrust
SplunkTrust

You can only pass values from the first row of results (unless you want to use drilldowns) so you would have to rearrange your search query to include all the values you want to pass in the first row. Having said that, this doesn't mean that these have to be visible in the table. These can be hidden using CSS.

Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...