Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

expand field values in single event

Karthikeya
Communicator
3 weeks ago

raw data - 

"attackData":{"rules":[{"data":"SCANTL=10","action":"alert","selector":"","tag":"REPUTATION","id":"REP_6021037","message":"Scanning Tools (High Threat) - Shared IPs","version":""},{"data":"SCANTL=10","action":"alert","selector":"","tag":"REPUTATION","id":"REP_6021039","message":"Scanning Tools (Low Threat) - Shared IPs","version":""},{"data":"WEBATCK=10","action":"alert","selector":"","tag":"REPUTATION","id":"REP_6021041","message":"Web Attackers (High Threat) - Shared IPs","version":""},{"data":"WEBATCK=10","action":"alert","selector":"","tag":"REPUTATION","id":"REP_6021043","message":"Web Attackers (Low Threat) - Shared IPs","version":""}],

converted to Json and here is the result - 

attackData: { [-]

rules: [ [-]
       { 

actionalert
         dataSCANTL=10
         idREP_6021037
         messageScanning Tools (High Threat) - Shared IPs
         selector:
         tagREPUTATION
         version:
       }
       { [-]

actionalert
         dataSCANTL=10
         idREP_6021039
         messageScanning Tools (Low Threat) - Shared IPs
         selector:
         tagREPUTATION
         version:

       }
       { [-]

actionalert
data:WEBATCK=10
id:REP_6021041
message:Web Attackers (High Threat) - Shared IPs
selector:
tag:REPUTATION
version:
       }
       { [-]

actionalert
         dataWEBATCK=10
         idREP_6021043
         messageWeb Attackers (Low Threat) - Shared IPs
         selector:
         tagREPUTATION
       }
     ]
   }

Here the issue is whenever we are creating an alert or dashboard with single message called Scanning Tools (High Threat) - Shared IPs we are getting correct values but along with that rest all rules are also coming in event which client is not accepting. I know that will be there bcoz thats how the log is. Can we do anything for this to get only given message or value not all. This is happening for all events.

 

Labels (2)
Labels
0 Karma
Reply

tej57
Contributor
3 weeks ago

Hey @Karthikeya,

What @ITWhisperer mentioned is correct. I have currently modified that source code of the dashboard to open the same search in a new tab based on the clicked selection. Paste the following code in your dashboard and it should work as per your requirement. 

<form version="1.1" theme="light">
  <label>Akamai WAF Dashboard</label>
  <search id="base_search">
    <query>index="waf_app_*" sourcetype=akamai_waf |fields * |search attackData.configId=$configid$ source=$source$
    </query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <description></description>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="configid" searchWhenChanged="true">
      <label>Security Configuration ID</label>
      <choice value="*">All</choice>
      <fieldForLabel>attackData.configId</fieldForLabel>
      <fieldForValue>attackData.configId</fieldForValue>
      <search>
        <query>index="waf_app_*" sourcetype=akamai_waf source=$source$
| stats count by attackData.configId</query>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="dropdown" token="source" searchWhenChanged="true">
      <label>Service Name</label>
      <choice value="*">All</choice>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index="waf_app_*" sourcetype=akamai_waf attackData.configId=$configid$ |stats count by source</query>
        <earliest>-5m@m</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="time" token="time">
      <label>Select Time Range</label>
      <default>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Top 10 Attack Rule IDs</title>
      <chart>
        <search base="base_search">
          <query>
| top limit=10 attackData.rules{}.id | rename attackData.rules{}.id as "Rule ID"</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Top 10 Attack Rule Tags</title>
      <chart>
        <search base="base_search">
          <query>
|stats count by attackData.rules{}.tag |sort - count |head 10</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Rule Messages</title>
      <table>
        <search base="base_search">
          <query>| stats count by attackData.rules{}.message  |sort - count |head 10</query>
        </search>
        <option name="dataOverlayMode">heatmap</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Rule Action by Count</title>
      <chart>
        <search base="base_search">
          <query> | stats count by attackData.rules{}.action |sort - count</query>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.05</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="clicked_value">$click.value2$</set>
          <link target="_blank">search?q=index%3D%22waf_app_*%22%20sourcetype%3Dakamai_waf%20%7Cfields%20*%20|search%20attackData.configId%3D$configid$%20source%3D$source$%20%7C%20stats%20count%20by%20attackData.rules%7B%7D.action%20|sort%20-%20count%0A%7C%20search%20attackData.rules%7B%7D.action%3D%22$clicked_value$%22&amp;earliest=$time.earliest$&amp;latest=$time.latest$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Rule IDs Trend (5 min)</title>
      <chart>
        <search base="base_search">
          <query>
| timechart  count(attackData.rules{}.id) span=5min</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Status Code Trend</title>
      <chart>
        <search base="base_search">
          <query>
| stats count by httpMessage.status</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Top 10 IP Addresses</title>
      <chart>
        <search base="base_search">
          <query> | stats count by attackData.clientIP |sort - count |head 10</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top 10 HTTP Path Details</title>
      <chart>
        <search base="base_search">
          <query>
| stats count by httpMessage.path |sort - count |head 10</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>HTTP Method Count</title>
      <chart>
        <search base="base_search">
          <query> | stats count by httpMessage.method |sort - count </query>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
      </chart>
    </panel>
  </row>
</form>

 

Thanks,
Tejas.

 

---
If the above solution helps, an upvote is appreciated..!!

0 Karma
Reply

Karthikeya
Communicator
3 weeks ago 
<form version="1.1" theme="light">
  <label>Akamai WAF Dashboard</label>
  <search id="base_search">
    <query>index="waf_app_*" sourcetype=akamai_waf |fields * |search attackData.configId=$configid$ source=$source$
    </query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <description></description>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="configid" searchWhenChanged="true">
      <label>Security Configuration ID</label>
      <choice value="*">All</choice>
      <fieldForLabel>attackData.configId</fieldForLabel>
      <fieldForValue>attackData.configId</fieldForValue>
      <search>
        <query>index="waf_app_*" sourcetype=akamai_waf source=$source$
| stats count by attackData.configId</query>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="dropdown" token="source" searchWhenChanged="true">
      <label>Service Name</label>
      <choice value="*">All</choice>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index="waf_app_*" sourcetype=akamai_waf attackData.configId=$configid$ |stats count by source</query>
        <earliest>-5m@m</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="time" token="time">
      <label>Select Time Range</label>
      <default>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Top 10 Attack Rule IDs</title>
      <chart>
        <search base="base_search">
          <query>
| top limit=10 attackData.rules{}.id | rename attackData.rules{}.id as "Rule ID"</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Top 10 Attack Rule Tags</title>
      <chart>
        <search base="base_search">
          <query>
|stats count by attackData.rules{}.tag |sort - count |head 10</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Rule Messages</title>
      <table>
        <search base="base_search">
          <query>| stats count by attackData.rules{}.message  |sort - count |head 10</query>
        </search>
        <option name="dataOverlayMode">heatmap</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Rule Action by Count</title>
      <chart>
        <search base="base_search">
          <query> | stats count by attackData.rules{}.action |sort - count</query>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.05</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Rule IDs Trend (5 min)</title>
      <chart>
        <search base="base_search">
          <query>
| timechart  count(attackData.rules{}.id) span=5min</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Status Code Trend</title>
      <chart>
        <search base="base_search">
          <query>
| stats count by httpMessage.status</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Top 10 IP Addresses</title>
      <chart>
        <search base="base_search">
          <query> | stats count by attackData.clientIP |sort - count |head 10</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top 10 HTTP Path Details</title>
      <chart>
        <search base="base_search">
          <query>
| stats count by httpMessage.path |sort - count |head 10</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>HTTP Method Count</title>
      <chart>
        <search base="base_search">
          <query> | stats count by httpMessage.method |sort - count </query>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
3 weeks ago

You don't have any specific drilldown action configured which means you will just get a basic search. If you want something more tailored, you should define a panel or other dashboard with the search that you want executed when the drilldown is triggered, and then configure the drilldown to activate this panel.

Reply

tej57
Contributor
3 weeks ago

Hey @Karthikeya,

The other data is coming because of improper drilldown configuration. Can you share the dashboard source code here? Make sure to share it in code block for better visibility. 

Thanks,
Tejas. 

0 Karma
Reply

Karthikeya
Communicator
3 weeks ago

Karthikeya_3-1750836195457.png

raw data

0 Karma
Reply

Karthikeya
Communicator
3 weeks ago

Karthikeya_1-1750835919799.png

 

Dashboard panel looks in this way. But when they click on any value (eg alert), below is the data coming - 

But Ideally they want to see only alert related log but remaining 2 are also coming in log.

0 Karma
Reply

tej57
Contributor
3 weeks ago

Hello @Karthikeya,

Can you share a screenshot of how the dashboard looks right now and how it should look ideally? I believe you can use spath command to separate out each rules from the attackData and use mvexpand. But to provide more context, I'll need some more information.

Thanks,
Tejas. 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...