Splunk Search

Using Multiple Text Box Input For Searching

rkeq0515
Path Finder

I have a dashboard built that views today's events for processes running on systems.  To focus on a single event, I have several text box inputs across the top that serve as a "Quick Search" capability.  The tokens from these text box inputs are included in various charts and tables to change the values when the text is typed into the boxes.  An example of the text box inputs are process name, destip, dest port,  and md5.  I am having an issue using getting the splunk boolean expression right to search for one or more values from the text inputs.   A sample of my text box inputs are as follows:

 Search Filename                     Search MD5                               Search Dest IP                         Search Dest Port

*

MD5                     

DestIP                                 

DestPort

                                  

Currently, my default values are shown in the screenshot.  I use * for the Filename which shows all data, but I want this and all other text box inputs to be optional.  All other default values are basically place holders.  The goal is to be able to view all data, then type in one or more values in any of the type box inputs to view the alerts with the typed value.

This is a snippet of a command that is used.

..... | (process IN ($sfilename$) OR md5 IN ($smd5$) OR destinationip IN ($sdestip$) OR destinationport IN ($sdestport$) ) AND $alertstoview$
| table process, md5, destinationip, destinationport

For example, if I have the following as my list of alerts:

Filename        MD5                                                                     DestIP                 DestPort
abc.exe           eec9859394abcdef1234567fedca     12.22.22.22        8080
xyz.exe            ade98dbc77abcdef1234567fb32a     22.22.22.23       80
fff.exe              fbc9859394abcdef123456bce32a     32.22.22.24       443
bbb.exe           ebc9859394abcdef1234567fedca     42.22.22.25       80
ddd.exe           ad59859394abcdec77abcdebbbbb   52.22.22.26       22

And I only want to see destport 22 AND filename fff.exe, I should get:

Filename        MD5                                                                     DestIP                 DestPort
fff.exe              fbc9859394abcdef123456bce32a     32.22.22.24       443
ddd.exe           ad59859394abcdec77abcdebbbbb   52.22.22.26       22

Labels (3)
0 Karma
1 Solution

rkeq0515
Path Finder

This seems to be working for me now.  For each textbox input, I used a condition and change tag.  Each input text box would need the code seen below. The example below is for the filename input.  You would this block of code for each text box with the respective token name.

<input type="text" token="sfilename">
<label>Search By Filename</label>
<change>
<condition match="len($value$)&gt;0">
<set token="defaulttoken">defaulttoken</set>
<eval token="sfilename">case($sfilename$ == $sfilename$, $sfilename$)</eval>
<eval token="smd5">case($smd5$ == $smd5$, $smd5$)</eval>
<eval token="sdestip">case($sdestip$ == $sdestip$, $sdestip$)</eval>
<eval token="sdestport">case($sdestport$ == $sdestport$, $sdestport$)</eval>
</condition>
<condition len($sprocess$)=0 AND len($smd5$)=0 AND len($destip$)=0 AND len($destport$)=0>
<set token="defaulttoken">*</set>
</condition>
</change>
<default></default>
</input>

 

Then each query you want to search would contain the following:

... filename IN ($sfilename$) OR md5 IN ($smd5$) OR path IN ($sdestip$) OR target IN ($sdestport$) OR ($defaulttoken$) ...

 

I also set a value for the defaulttoken as * when the page loads.

  <init>
    <set token="defaulttoken">*</set>
  </init>

 

View solution in original post

rkeq0515
Path Finder

This seems to be working for me now.  For each textbox input, I used a condition and change tag.  Each input text box would need the code seen below. The example below is for the filename input.  You would this block of code for each text box with the respective token name.

<input type="text" token="sfilename">
<label>Search By Filename</label>
<change>
<condition match="len($value$)&gt;0">
<set token="defaulttoken">defaulttoken</set>
<eval token="sfilename">case($sfilename$ == $sfilename$, $sfilename$)</eval>
<eval token="smd5">case($smd5$ == $smd5$, $smd5$)</eval>
<eval token="sdestip">case($sdestip$ == $sdestip$, $sdestip$)</eval>
<eval token="sdestport">case($sdestport$ == $sdestport$, $sdestport$)</eval>
</condition>
<condition len($sprocess$)=0 AND len($smd5$)=0 AND len($destip$)=0 AND len($destport$)=0>
<set token="defaulttoken">*</set>
</condition>
</change>
<default></default>
</input>

 

Then each query you want to search would contain the following:

... filename IN ($sfilename$) OR md5 IN ($smd5$) OR path IN ($sdestip$) OR target IN ($sdestport$) OR ($defaulttoken$) ...

 

I also set a value for the defaulttoken as * when the page loads.

  <init>
    <set token="defaulttoken">*</set>
  </init>

 

thambisetty
SplunkTrust
SplunkTrust

set default value * for all your text boxes. That should solve your problem.

————————————
If this helps, give a like below.
0 Karma

rkeq0515
Path Finder

I tried that early on.  That wont help.  That means I am listing everything from all fields.  If I change destport to 22, I will still get everything.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...