Solved: Re: If/Else Conditions in a form base on Dropdown ... - Page 2

jaywilwk · ‎05-15-2014

I've created a form that has a dropdown where users can select their sourcetype. Within each sourcetype, the fields are different. Is there a way for me to have the associated fields available based on the sourcetype that the user selects? If so how do I do this? Below is my form.

<form>
<label>Threat Dashboard</label>
   <fieldset autoRun="false" submitButton="true">
      <input type="text" token="src_ip">
      <label>Source IP:</label>
      <default>*</default>
    </input>
      <input type="text" token="src_port">
      <label>Source Port:</label>
      <default>*</default>
    </input>
    <input type="text" token="dst_ip">
      <label>Destination IP:</label>
      <default>*</default>
    </input>
    <input type="text" token="dst_port">
      <label>Destination Port:</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="sourcetype">
      <label>Select Sourcetype:</label>
      <default>pan_traffic</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype" earliest="-120m" latest="-90m">
        <![CDATA[index=* | stats count by sourcetype]]>
      </populatingSearch>
    </input>
    <input type="time" searchWhenChanged="false">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
       </input>
  </fieldset>
    <row>
    <table>
      <title>Investigate Source IP: $src_ip$</title>
      <searchString>sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table src_ip, dst_ip, action, src_port, dst_port</searchString>

    </table>
  </row>
  </form>

somesoni2 · ‎05-15-2014

Try this in you searchString for the table.

  sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table [|stats count| eval search=case("$sourcetype$"="proxysg","src_ip, dst_ip, action","$sourcetype$"="pan_traffic","action, src_port, dst_port", 1=1,"src_ip, dst_ip, action, src_port, dst_port")  | table search]

Update:

sourcetype=$sourcetype$  [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$" 
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval client_ip="$src_ip$" 
| eval dest_ip="$dst_ip$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| eval host=port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip,dest_ip,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip, dst_ip,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host" ,
1=1,"")  | table search] | format]
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip, dest_ip, action,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip,dst_ip,action,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host,action,syslog_message" ,
1=1,"*")  | table search]

View solution in original post

jaywilwk · ‎05-15-2014

yes that's right.

somesoni2 · ‎05-15-2014

What should be the query if you want to search proxysg logs with dropdown values? Will it be this?

sourcetype=proxy client_ip=$src_ip$ dest_ip=$dst_ip$ port=$src_ip$ OR port=$dst_ip$

jaywilwk · ‎05-15-2014

in the proxysg, there is only port, which would be for the src_port and dst_port

somesoni2 · ‎05-15-2014

This was the critical information missing from the question. Can you confirm the final list of sourcetype-field list and mapping to dropdown in the form.

sourcetype=pan_traffic

field dropdown

src_ip src_ip
dst_ip dst_ip
src_port src_port
dst_port dst_port

sourcetype=proxysg

field dropdown

client_ip src_ip
dest_ip dst_ip
port src_port OR dst_port????

jaywilwk · ‎05-15-2014

it seems like it's on the right track, but I'm still not getting results. I have the default sourcetype=pan_traffic in the dropdown and the fields are src_ip, dst_ip, src_port, dst_port. In proxysg, fields are client_ip, dest_ip, port.

somesoni2 · ‎05-15-2014

The filters in the base search also needs to be filtered based on sourcetype. Try the updated answer.

jaywilwk · ‎05-15-2014

I tried it and I didn't get anything back for the proxysg sourcetype.

somesoni2 · ‎05-15-2014

My bad, missed one bracket. Updated the answer. Try now.

jaywilwk · ‎05-15-2014

I tried this and I got an error in my eval command: The expression is malformed. Expected ).

jaywilwk · ‎05-15-2014

ok let's say the fields src_ip and dst_ip is only available when the user select proxysg as their sourcetype. let's say I want client_ip and dest_ip available in my search result when the user select sourcetype=pan_traffic in the drop down. So based on the sourcetype selected, I want those field available that are associated with the sourcetype.

somesoni2 · ‎05-15-2014

Are you saying you want to customize filters used in search and fields displayed in table based on sourcetype selected?

If/Else Conditions in a form base on Dropdown Selection

field dropdown

field dropdown

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation

If/Else Conditions in a form base on Dropdown Selection

field dropdown

field dropdown

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern