Solved: If/Else Conditions in a form base on Dropdown Sele...

jaywilwk · ‎05-15-2014

I've created a form that has a dropdown where users can select their sourcetype. Within each sourcetype, the fields are different. Is there a way for me to have the associated fields available based on the sourcetype that the user selects? If so how do I do this? Below is my form.

<form>
<label>Threat Dashboard</label>
   <fieldset autoRun="false" submitButton="true">
      <input type="text" token="src_ip">
      <label>Source IP:</label>
      <default>*</default>
    </input>
      <input type="text" token="src_port">
      <label>Source Port:</label>
      <default>*</default>
    </input>
    <input type="text" token="dst_ip">
      <label>Destination IP:</label>
      <default>*</default>
    </input>
    <input type="text" token="dst_port">
      <label>Destination Port:</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="sourcetype">
      <label>Select Sourcetype:</label>
      <default>pan_traffic</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype" earliest="-120m" latest="-90m">
        <![CDATA[index=* | stats count by sourcetype]]>
      </populatingSearch>
    </input>
    <input type="time" searchWhenChanged="false">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
       </input>
  </fieldset>
    <row>
    <table>
      <title>Investigate Source IP: $src_ip$</title>
      <searchString>sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table src_ip, dst_ip, action, src_port, dst_port</searchString>

    </table>
  </row>
  </form>

somesoni2 · ‎05-15-2014

Try this in you searchString for the table.

  sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table [|stats count| eval search=case("$sourcetype$"="proxysg","src_ip, dst_ip, action","$sourcetype$"="pan_traffic","action, src_port, dst_port", 1=1,"src_ip, dst_ip, action, src_port, dst_port")  | table search]

Update:

sourcetype=$sourcetype$  [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$" 
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval client_ip="$src_ip$" 
| eval dest_ip="$dst_ip$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| eval host=port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip,dest_ip,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip, dst_ip,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host" ,
1=1,"")  | table search] | format]
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip, dest_ip, action,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip,dst_ip,action,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host,action,syslog_message" ,
1=1,"*")  | table search]

View solution in original post

Lazarix · ‎05-15-2014

You want something similar to this, I believe:

Possible Solution

somesoni2 · ‎05-15-2014

Try this in you searchString for the table.

  sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table [|stats count| eval search=case("$sourcetype$"="proxysg","src_ip, dst_ip, action","$sourcetype$"="pan_traffic","action, src_port, dst_port", 1=1,"src_ip, dst_ip, action, src_port, dst_port")  | table search]

Update:

sourcetype=$sourcetype$  [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$" 
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval client_ip="$src_ip$" 
| eval dest_ip="$dst_ip$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| eval host=port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip,dest_ip,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip, dst_ip,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host" ,
1=1,"")  | table search] | format]
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip, dest_ip, action,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip,dst_ip,action,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host,action,syslog_message" ,
1=1,"*")  | table search]

jaywilwk · ‎05-21-2014

I tried adding an eval host=$src_ip$ but that didn't work. I've also tried going the eval split route like you did with the port splitting into src_port and dst_port.

jaywilwk · ‎05-20-2014

ok, when I did a search selecting ciscoios in the dropdown the table returned results for all the fields except for the action field. Also, when I tried to do a search against a specific host in the Source IP: box, it just did an open search with all results.

somesoni2 · ‎05-20-2014

Try that again now.

jaywilwk · ‎05-20-2014

I got a mismatch '['. error

somesoni2 · ‎05-20-2014

See if the updated answer looks ok.

jaywilwk · ‎05-20-2014

I was able to figured out most of it, but I can't get the action field to display. the fields for ciscoios would be host="$src_ip$" OR "$dst_ip$" and there is nothing for port. I would like to show syslog_message for the ciscoios sourcetype.

somesoni2 · ‎05-20-2014

What are the filters for ciscoios (like for proxysg its client_ip="$src_ip$" dest_ip="$dst_ip$" port=$src_port$ OR port=$dst_port$)?

jaywilwk · ‎05-20-2014

would it be possible for you to help me with the ciscoios one? The fields that I would like to display for ciscoios would be host and action.

jaywilwk · ‎05-16-2014

There's another sourcetype I wanted to add into this. It will be ciscoios and the fields that will show are host and action.

somesoni2 · ‎05-16-2014

Just replace all instance of
"$sourcetype$"="pan_traffic"
with
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat"

jaywilwk · ‎05-16-2014

it worked. Greatly appreciate it. there's a pan_threat sourcetype available in the dropdown as well and the fields are the same as pan_traffic, but I'm not getting any data when I select that as a sourcetype.

somesoni2 · ‎05-16-2014

So if below returns you results, then try the updated answer.

sourcetype=proxysg ( ( client_ip="*" AND dest_ip="*" AND port="*" ) OR ( client_ip="*" AND dest_ip="*" AND port="*" ) ) | table client_ip, dest_ip, action,port

jaywilwk · ‎05-16-2014

it doesn't return any data for me. the fields for proxysg are client_ip and dest_ip instead of src_ip and dst_ip.

somesoni2 · ‎05-16-2014

I created the same dashboard (with my query) and the final query being executed (I can see results as I don't have the data) is below (for sourcetype selected as proxysg and all default dropdown values):-

sourcetype=proxysg ( ( dst_ip="*" AND port="*" AND src_ip="*" ) OR ( dst_ip="*" AND port="*" AND src_ip="*" ) )
| table src_ip, dst_ip, action,port

can you validate if this query returns data for you?

jaywilwk · ‎05-16-2014

I get results back when I select pan_traffic as my sourcetype but nothing back when I select proxysg as my sourcetype from the dropdown.

somesoni2 · ‎05-16-2014

Does this returns records with both sourcetype is selected.

jaywilwk · ‎05-16-2014

I tried the update and I didn't get any results when proxysg was the sourcetype.

somesoni2 · ‎05-15-2014

Try updated answer now.

If/Else Conditions in a form base on Dropdown Selection

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices

Streamline Data Ingestion With Deployment Server Essentials