This query is successively executed in Search bar. But It is not work in dashboard.
eval ip_addr="\"".ip_addr."\"" =>> How can i changed query in xml
i try to change that
eval ip_addr="\"".ip_addr."\"" => eval ip_addr="\"& quot;.ip_addr."\"& quot;
eval ip_addr="\"".ip_addr."\"" => eval ip_addr=& quot;\& quot;& quot;.ip_addr.& quot;\& quot;& quot;
index="01_firewall" sourcetype="01_firewall"
[search index=webping | rename ping_url as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
| fields SourceIP DestinationIP Count Action PacketSize
| eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr
| ***eval ip_addr="\"".ip_addr."\""*** | rename ip_addr as search]
| search
| eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr , SourceIP,1==1,"NOT")
|search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
=============================== dashboard xml==================================
<view template="dashboard.html">
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">index=webping sourcetype=webping | timechart span=2m avg(time_in_ms) as avg by ping_url | fields - OTHER</param>
<param name="earliest">-1h</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">line</param>
<module name="JobProgressIndicator"/>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">160px</param>
<param name="enableResize">False</param>
<!-- ==================================== ======================================================================================== -->
<module name="Search">
<param name="search">index="01_firewall" sourcetype="01_firewall"
[search index=webping | rename ping_url as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
| fields SourceIP DestinationIP Count Action PacketSize
| eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr
| eval ip_addr="\"".ip_addr."\"" | rename ip_addr as search]
| search
| eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr , SourceIP,1==1,"NOT")
|search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
</param>
<param name="earliest">-15m</param>
<module name="ConvertToIntention" layoutPanel="panel_row2_col2" group="Fire Wall">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="url">
<param name = "value">$click.name2$</param>
</param>
</param>
<param name="flags"><list>indexed</list></param>
</param>
<module name="JobProgressIndicator"></module>
<module name="SimpleResultsTable">
<param name="count">20</param>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
... View more