I've created a form that has a dropdown where users can select their sourcetype. Within each sourcetype, the fields are different. Is there a way for me to have the associated fields available based on the sourcetype that the user selects? If so how do I do this? Below is my form.
<form>
<label>Threat Dashboard</label>
<fieldset autoRun="false" submitButton="true">
<input type="text" token="src_ip">
<label>Source IP:</label>
<default>*</default>
</input>
<input type="text" token="src_port">
<label>Source Port:</label>
<default>*</default>
</input>
<input type="text" token="dst_ip">
<label>Destination IP:</label>
<default>*</default>
</input>
<input type="text" token="dst_port">
<label>Destination Port:</label>
<default>*</default>
</input>
<input type="dropdown" token="sourcetype">
<label>Select Sourcetype:</label>
<default>pan_traffic</default>
<populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype" earliest="-120m" latest="-90m">
<![CDATA[index=* | stats count by sourcetype]]>
</populatingSearch>
</input>
<input type="time" searchWhenChanged="false">
<default>
<earliestTime>-15m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
</fieldset>
<row>
<table>
<title>Investigate Source IP: $src_ip$</title>
<searchString>sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table src_ip, dst_ip, action, src_port, dst_port</searchString>
</table>
</row>
</form>
Try this in you searchString for the table.
sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table [|stats count| eval search=case("$sourcetype$"="proxysg","src_ip, dst_ip, action","$sourcetype$"="pan_traffic","action, src_port, dst_port", 1=1,"src_ip, dst_ip, action, src_port, dst_port") | table search]
Update:
sourcetype=$sourcetype$ [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$"
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval client_ip="$src_ip$"
| eval dest_ip="$dst_ip$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| eval host=port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip,dest_ip,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip, dst_ip,src_port,dst_port",
"$sourcetype$"="ciscoios", "host" ,
1=1,"") | table search] | format]
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip, dest_ip, action,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip,dst_ip,action,src_port,dst_port",
"$sourcetype$"="ciscoios", "host,action,syslog_message" ,
1=1,"*") | table search]
You want something similar to this, I believe:
Try this in you searchString for the table.
sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table [|stats count| eval search=case("$sourcetype$"="proxysg","src_ip, dst_ip, action","$sourcetype$"="pan_traffic","action, src_port, dst_port", 1=1,"src_ip, dst_ip, action, src_port, dst_port") | table search]
Update:
sourcetype=$sourcetype$ [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$"
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval client_ip="$src_ip$"
| eval dest_ip="$dst_ip$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| eval host=port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip,dest_ip,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip, dst_ip,src_port,dst_port",
"$sourcetype$"="ciscoios", "host" ,
1=1,"") | table search] | format]
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip, dest_ip, action,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip,dst_ip,action,src_port,dst_port",
"$sourcetype$"="ciscoios", "host,action,syslog_message" ,
1=1,"*") | table search]
I tried adding an eval host=$src_ip$ but that didn't work. I've also tried going the eval split route like you did with the port splitting into src_port and dst_port.
ok, when I did a search selecting ciscoios in the dropdown the table returned results for all the fields except for the action field. Also, when I tried to do a search against a specific host in the Source IP: box, it just did an open search with all results.
Try that again now.
I got a mismatch '['. error
See if the updated answer looks ok.
I was able to figured out most of it, but I can't get the action field to display. the fields for ciscoios would be host="$src_ip$" OR "$dst_ip$" and there is nothing for port. I would like to show syslog_message for the ciscoios sourcetype.
What are the filters for ciscoios (like for proxysg its client_ip="$src_ip$" dest_ip="$dst_ip$" port=$src_port$ OR port=$dst_port$)?
would it be possible for you to help me with the ciscoios one? The fields that I would like to display for ciscoios would be host and action.
There's another sourcetype I wanted to add into this. It will be ciscoios and the fields that will show are host and action.
Just replace all instance of
"$sourcetype$"="pan_traffic"
with
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat"
it worked. Greatly appreciate it. there's a pan_threat sourcetype available in the dropdown as well and the fields are the same as pan_traffic, but I'm not getting any data when I select that as a sourcetype.
So if below returns you results, then try the updated answer.
sourcetype=proxysg ( ( client_ip="*" AND dest_ip="*" AND port="*" ) OR ( client_ip="*" AND dest_ip="*" AND port="*" ) ) | table client_ip, dest_ip, action,port
it doesn't return any data for me. the fields for proxysg are client_ip and dest_ip instead of src_ip and dst_ip.
I created the same dashboard (with my query) and the final query being executed (I can see results as I don't have the data) is below (for sourcetype selected as proxysg and all default dropdown values):-
sourcetype=proxysg ( ( dst_ip="*" AND port="*" AND src_ip="*" ) OR ( dst_ip="*" AND port="*" AND src_ip="*" ) )
| table src_ip, dst_ip, action,port
can you validate if this query returns data for you?
I get results back when I select pan_traffic as my sourcetype but nothing back when I select proxysg as my sourcetype from the dropdown.
Does this returns records with both sourcetype is selected.
sourcetype=$sourcetype$ [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$"
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","src_ip,dst_ip,port",
"$sourcetype$"="pan_traffic","src_ip, dst_ip,src_port,dst_port",
1=1,"") | table search] | format]
I tried the update and I didn't get any results when proxysg was the sourcetype.
Try updated answer now.