Splunk Search

Using Multiple Text Box Input For Searching

rkeq0515
Path Finder

I have a dashboard built that views today's events for processes running on systems.  To focus on a single event, I have several text box inputs across the top that serve as a "Quick Search" capability.  The tokens from these text box inputs are included in various charts and tables to change the values when the text is typed into the boxes.  An example of the text box inputs are process name, destip, dest port,  and md5.  I am having an issue using getting the splunk boolean expression right to search for one or more values from the text inputs.   A sample of my text box inputs are as follows:

 Search Filename                     Search MD5                               Search Dest IP                         Search Dest Port

*

MD5                     

DestIP                                 

DestPort

                                  

Currently, my default values are shown in the screenshot.  I use * for the Filename which shows all data, but I want this and all other text box inputs to be optional.  All other default values are basically place holders.  The goal is to be able to view all data, then type in one or more values in any of the type box inputs to view the alerts with the typed value.

This is a snippet of a command that is used.

..... | (process IN ($sfilename$) OR md5 IN ($smd5$) OR destinationip IN ($sdestip$) OR destinationport IN ($sdestport$) ) AND $alertstoview$
| table process, md5, destinationip, destinationport

For example, if I have the following as my list of alerts:

Filename        MD5                                                                     DestIP                 DestPort
abc.exe           eec9859394abcdef1234567fedca     12.22.22.22        8080
xyz.exe            ade98dbc77abcdef1234567fb32a     22.22.22.23       80
fff.exe              fbc9859394abcdef123456bce32a     32.22.22.24       443
bbb.exe           ebc9859394abcdef1234567fedca     42.22.22.25       80
ddd.exe           ad59859394abcdec77abcdebbbbb   52.22.22.26       22

And I only want to see destport 22 AND filename fff.exe, I should get:

Filename        MD5                                                                     DestIP                 DestPort
fff.exe              fbc9859394abcdef123456bce32a     32.22.22.24       443
ddd.exe           ad59859394abcdec77abcdebbbbb   52.22.22.26       22

Labels (3)
0 Karma
1 Solution

rkeq0515
Path Finder

This seems to be working for me now.  For each textbox input, I used a condition and change tag.  Each input text box would need the code seen below. The example below is for the filename input.  You would this block of code for each text box with the respective token name.

<input type="text" token="sfilename">
<label>Search By Filename</label>
<change>
<condition match="len($value$)&gt;0">
<set token="defaulttoken">defaulttoken</set>
<eval token="sfilename">case($sfilename$ == $sfilename$, $sfilename$)</eval>
<eval token="smd5">case($smd5$ == $smd5$, $smd5$)</eval>
<eval token="sdestip">case($sdestip$ == $sdestip$, $sdestip$)</eval>
<eval token="sdestport">case($sdestport$ == $sdestport$, $sdestport$)</eval>
</condition>
<condition len($sprocess$)=0 AND len($smd5$)=0 AND len($destip$)=0 AND len($destport$)=0>
<set token="defaulttoken">*</set>
</condition>
</change>
<default></default>
</input>

 

Then each query you want to search would contain the following:

... filename IN ($sfilename$) OR md5 IN ($smd5$) OR path IN ($sdestip$) OR target IN ($sdestport$) OR ($defaulttoken$) ...

 

I also set a value for the defaulttoken as * when the page loads.

  <init>
    <set token="defaulttoken">*</set>
  </init>

 

View solution in original post

rkeq0515
Path Finder

This seems to be working for me now.  For each textbox input, I used a condition and change tag.  Each input text box would need the code seen below. The example below is for the filename input.  You would this block of code for each text box with the respective token name.

<input type="text" token="sfilename">
<label>Search By Filename</label>
<change>
<condition match="len($value$)&gt;0">
<set token="defaulttoken">defaulttoken</set>
<eval token="sfilename">case($sfilename$ == $sfilename$, $sfilename$)</eval>
<eval token="smd5">case($smd5$ == $smd5$, $smd5$)</eval>
<eval token="sdestip">case($sdestip$ == $sdestip$, $sdestip$)</eval>
<eval token="sdestport">case($sdestport$ == $sdestport$, $sdestport$)</eval>
</condition>
<condition len($sprocess$)=0 AND len($smd5$)=0 AND len($destip$)=0 AND len($destport$)=0>
<set token="defaulttoken">*</set>
</condition>
</change>
<default></default>
</input>

 

Then each query you want to search would contain the following:

... filename IN ($sfilename$) OR md5 IN ($smd5$) OR path IN ($sdestip$) OR target IN ($sdestport$) OR ($defaulttoken$) ...

 

I also set a value for the defaulttoken as * when the page loads.

  <init>
    <set token="defaulttoken">*</set>
  </init>

 

thambisetty
SplunkTrust
SplunkTrust

set default value * for all your text boxes. That should solve your problem.

————————————
If this helps, give a like below.
0 Karma

rkeq0515
Path Finder

I tried that early on.  That wont help.  That means I am listing everything from all fields.  If I change destport to 22, I will still get everything.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...