- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using Multiple Text Box Input For Searching
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dashboard built that views today's events for processes running on systems. To focus on a single event, I have several text box inputs across the top that serve as a "Quick Search" capability. The tokens from these text box inputs are included in various charts and tables to change the values when the text is typed into the boxes. An example of the text box inputs are process name, destip, dest port, and md5. I am having an issue using getting the splunk boolean expression right to search for one or more values from the text inputs. A sample of my text box inputs are as follows:
Search Filename Search MD5 Search Dest IP Search Dest Port
* | MD5 | DestIP | DestPort |
Currently, my default values are shown in the screenshot. I use * for the Filename which shows all data, but I want this and all other text box inputs to be optional. All other default values are basically place holders. The goal is to be able to view all data, then type in one or more values in any of the type box inputs to view the alerts with the typed value.
This is a snippet of a command that is used.
..... | (process IN ($sfilename$) OR md5 IN ($smd5$) OR destinationip IN ($sdestip$) OR destinationport IN ($sdestport$) ) AND $alertstoview$
| table process, md5, destinationip, destinationport
For example, if I have the following as my list of alerts:
Filename MD5 DestIP DestPort
abc.exe eec9859394abcdef1234567fedca 12.22.22.22 8080
xyz.exe ade98dbc77abcdef1234567fb32a 22.22.22.23 80
fff.exe fbc9859394abcdef123456bce32a 32.22.22.24 443
bbb.exe ebc9859394abcdef1234567fedca 42.22.22.25 80
ddd.exe ad59859394abcdec77abcdebbbbb 52.22.22.26 22
And I only want to see destport 22 AND filename fff.exe, I should get:
Filename MD5 DestIP DestPort
fff.exe fbc9859394abcdef123456bce32a 32.22.22.24 443
ddd.exe ad59859394abcdec77abcdebbbbb 52.22.22.26 22
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to be working for me now. For each textbox input, I used a condition and change tag. Each input text box would need the code seen below. The example below is for the filename input. You would this block of code for each text box with the respective token name.
<input type="text" token="sfilename">
<label>Search By Filename</label>
<change>
<condition match="len($value$)>0">
<set token="defaulttoken">defaulttoken</set>
<eval token="sfilename">case($sfilename$ == $sfilename$, $sfilename$)</eval>
<eval token="smd5">case($smd5$ == $smd5$, $smd5$)</eval>
<eval token="sdestip">case($sdestip$ == $sdestip$, $sdestip$)</eval>
<eval token="sdestport">case($sdestport$ == $sdestport$, $sdestport$)</eval>
</condition>
<condition len($sprocess$)=0 AND len($smd5$)=0 AND len($destip$)=0 AND len($destport$)=0>
<set token="defaulttoken">*</set>
</condition>
</change>
<default></default>
</input>
Then each query you want to search would contain the following:
... filename IN ($sfilename$) OR md5 IN ($smd5$) OR path IN ($sdestip$) OR target IN ($sdestport$) OR ($defaulttoken$) ...
I also set a value for the defaulttoken as * when the page loads.
<init>
<set token="defaulttoken">*</set>
</init>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to be working for me now. For each textbox input, I used a condition and change tag. Each input text box would need the code seen below. The example below is for the filename input. You would this block of code for each text box with the respective token name.
<input type="text" token="sfilename">
<label>Search By Filename</label>
<change>
<condition match="len($value$)>0">
<set token="defaulttoken">defaulttoken</set>
<eval token="sfilename">case($sfilename$ == $sfilename$, $sfilename$)</eval>
<eval token="smd5">case($smd5$ == $smd5$, $smd5$)</eval>
<eval token="sdestip">case($sdestip$ == $sdestip$, $sdestip$)</eval>
<eval token="sdestport">case($sdestport$ == $sdestport$, $sdestport$)</eval>
</condition>
<condition len($sprocess$)=0 AND len($smd5$)=0 AND len($destip$)=0 AND len($destport$)=0>
<set token="defaulttoken">*</set>
</condition>
</change>
<default></default>
</input>
Then each query you want to search would contain the following:
... filename IN ($sfilename$) OR md5 IN ($smd5$) OR path IN ($sdestip$) OR target IN ($sdestport$) OR ($defaulttoken$) ...
I also set a value for the defaulttoken as * when the page loads.
<init>
<set token="defaulttoken">*</set>
</init>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set default value * for all your text boxes. That should solve your problem.
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried that early on. That wont help. That means I am listing everything from all fields. If I change destport to 22, I will still get everything.
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
