Solved: Re: If/Else Conditions in a form base on Dropdown ... - Page 2

jaywilwk · ‎05-15-2014

I've created a form that has a dropdown where users can select their sourcetype. Within each sourcetype, the fields are different. Is there a way for me to have the associated fields available based on the sourcetype that the user selects? If so how do I do this? Below is my form.

<form>
<label>Threat Dashboard</label>
   <fieldset autoRun="false" submitButton="true">
      <input type="text" token="src_ip">
      <label>Source IP:</label>
      <default>*</default>
    </input>
      <input type="text" token="src_port">
      <label>Source Port:</label>
      <default>*</default>
    </input>
    <input type="text" token="dst_ip">
      <label>Destination IP:</label>
      <default>*</default>
    </input>
    <input type="text" token="dst_port">
      <label>Destination Port:</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="sourcetype">
      <label>Select Sourcetype:</label>
      <default>pan_traffic</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype" earliest="-120m" latest="-90m">
        <![CDATA[index=* | stats count by sourcetype]]>
      </populatingSearch>
    </input>
    <input type="time" searchWhenChanged="false">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
       </input>
  </fieldset>
    <row>
    <table>
      <title>Investigate Source IP: $src_ip$</title>
      <searchString>sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table src_ip, dst_ip, action, src_port, dst_port</searchString>

    </table>
  </row>
  </form>

somesoni2 · ‎05-15-2014

Try this in you searchString for the table.

  sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table [|stats count| eval search=case("$sourcetype$"="proxysg","src_ip, dst_ip, action","$sourcetype$"="pan_traffic","action, src_port, dst_port", 1=1,"src_ip, dst_ip, action, src_port, dst_port")  | table search]

Update:

sourcetype=$sourcetype$  [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$" 
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval client_ip="$src_ip$" 
| eval dest_ip="$dst_ip$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| eval host=port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip,dest_ip,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip, dst_ip,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host" ,
1=1,"")  | table search] | format]
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip, dest_ip, action,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip,dst_ip,action,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host,action,syslog_message" ,
1=1,"*")  | table search]

View solution in original post

jaywilwk · ‎05-15-2014

yes that's right.

somesoni2 · ‎05-15-2014

What should be the query if you want to search proxysg logs with dropdown values? Will it be this?

sourcetype=proxy client_ip=$src_ip$ dest_ip=$dst_ip$ port=$src_ip$ OR port=$dst_ip$

jaywilwk · ‎05-15-2014

in the proxysg, there is only port, which would be for the src_port and dst_port

somesoni2 · ‎05-15-2014

This was the critical information missing from the question. Can you confirm the final list of sourcetype-field list and mapping to dropdown in the form.

sourcetype=pan_traffic

field dropdown

src_ip src_ip
dst_ip dst_ip
src_port src_port
dst_port dst_port

sourcetype=proxysg

field dropdown

client_ip src_ip
dest_ip dst_ip
port src_port OR dst_port????

jaywilwk · ‎05-15-2014

it seems like it's on the right track, but I'm still not getting results. I have the default sourcetype=pan_traffic in the dropdown and the fields are src_ip, dst_ip, src_port, dst_port. In proxysg, fields are client_ip, dest_ip, port.

somesoni2 · ‎05-15-2014

The filters in the base search also needs to be filtered based on sourcetype. Try the updated answer.

jaywilwk · ‎05-15-2014

I tried it and I didn't get anything back for the proxysg sourcetype.

somesoni2 · ‎05-15-2014

My bad, missed one bracket. Updated the answer. Try now.

jaywilwk · ‎05-15-2014

I tried this and I got an error in my eval command: The expression is malformed. Expected ).

jaywilwk · ‎05-15-2014

ok let's say the fields src_ip and dst_ip is only available when the user select proxysg as their sourcetype. let's say I want client_ip and dest_ip available in my search result when the user select sourcetype=pan_traffic in the drop down. So based on the sourcetype selected, I want those field available that are associated with the sourcetype.

somesoni2 · ‎05-15-2014

Are you saying you want to customize filters used in search and fields displayed in table based on sourcetype selected?

If/Else Conditions in a form base on Dropdown Selection

field dropdown

field dropdown

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

If/Else Conditions in a form base on Dropdown Selection

field dropdown

field dropdown

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA