×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Manta_ray
Loves-to-Learn
Member since: ‎08-05-2023
‎08-09-2023
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-05-2023
View All

Re: How to correctly implement tokens in a base se...

by in Getting Data In
‎08-09-2023 02:16 AM
‎08-09-2023 02:16 AM
Thank You so much. you helped a lot ... View more

Re: How to correctly implement tokens in a base se...

by in Getting Data In
‎08-05-2023 12:33 PM
‎08-05-2023 12:33 PM
I'm trying to build a table that shows events from the "sourcetype=trendmicro:cloudone" Therefore I've created a base search that pulls the fields I want to show in the table. Then I created a search that searches from that base search data.  So far so good Later I wanted to add tokens that can filter trow IP and Hostname.  the tokens seems to filter the data but the selection of a value in the token box has no effect on the table in self. for example when I choose the token to filter "ip=xxx" it still shows all the other values such as  "ip=yyy" .... My intention was to create a dashboard that can show all the data from the source type and can also be filtered with tokens to show specific data like, hostname="something", shows all the traffics about the specific hostname ... View more

Re: How to correctly implement tokens in a base se...

by in Getting Data In
‎08-05-2023 04:49 AM
‎08-05-2023 04:49 AM
can you help and guide me on what to do differently in order to make it work?  ... View more

How to correctly implement tokens in a base search...

by in Getting Data In
‎08-05-2023 04:05 AM
‎08-05-2023 04:05 AM
Hey All,  I'm trying to implement tokens in my base-search dashboard. But it seems like when I'm changing the token value it has no effect on the actual table I'm using. I'll be glad if someone may have an idea of what needs to be changed in order for it to work. This is the Dashboard script:  <form version="1.1" theme="light"> <label>Cloud One V2</label> <search id="CloudOne_base"> <query>index=client* sourcetype=trendmicro:cloudone | fields _time bv_src_ip, bv_src_dvc_hostname, bv_user, name, bv_vendor_reason ,bv_severity, target, bv_vendor_result</query> <earliest>$_time.earliest$</earliest> <latest>$_time.latest$</latest> <refresh>2m</refresh> <refreshType>delay</refreshType> <done> <set token="bv_src_ip">$ip$</set> <set token="bv_src_dvc_hostname">$host$</set> <set token="bv_user">$user$</set> <set token="bv_severity">$severity$</set> </done> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="_time"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="ip" searchWhenChanged="true"> <label>Source IP</label> <choice value="*">*</choice> <valuePrefix>bv_src_ip="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>bv_src_ip</fieldForLabel> <fieldForValue>bv_src_ip</fieldForValue> <search base="CloudOne_base"> <query>| fields bv_src_ip | dedup bv_src_ip | sort bv_src_ip</query> </search> <default>*</default> <prefix>(</prefix> <suffix>)</suffix> <initialValue>*</initialValue> </input> <input type="multiselect" token="host" searchWhenChanged="true"> <label>Source Hostname</label> <choice value="*">*</choice> <default>*</default> <valuePrefix>bv_src_dvc_hostname="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>bv_src_dvc_hostname</fieldForLabel> <fieldForValue>bv_src_dvc_hostname</fieldForValue> <search base="CloudOne_base"> <query>| stats count by bv_src_dvc_hostname | dedup bv_src_dvc_hostname | sort bv_src_dvc_hostname</query> </search> <initialValue>*</initialValue> <prefix>(</prefix> <suffix>)</suffix> </input> <input type="multiselect" token="user" searchWhenChanged="true"> <label>User</label> <choice value="*">*</choice> <default>*</default> <valuePrefix>bv_user="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>bv_user</fieldForLabel> <fieldForValue>bv_user</fieldForValue> <search base="CloudOne_base"> <query>| stats count by bv_user | dedup bv_user | sort bv_user</query> </search> <initialValue>*</initialValue> </input> <input type="checkbox" token="severity" searchWhenChanged="true"> <label>Severity</label> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>bv_severity="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>bv_severity</fieldForLabel> <fieldForValue>bv_severity</fieldForValue> <search base="CloudOne_base"> <query>| stats count by bv_severity | dedup bv_severity | sort bv_severity</query> </search> <default>critical,high,informational,medium</default> <initialValue>critical,high,informational,medium</initialValue> </input> </fieldset> <row> <panel> <title>All Traffic Data</title> <table> <search base="CloudOne_base"> <query>| where bv_src_ip!="-" | table _time, bv_src_ip, bv_src_dvc_hostname, bv_user, name, bv_vendor_reason ,bv_severity, target, bv_vendor_result | rename bv_src_ip as "Source IP", bv_src_dvc_hostname as "Source Host". name as "Alert_Name", bv_vendor_reason as "Description", bv_severity as "Severity" , bv_user as "User", bv_vendor_result as "Full Description", target as "Target Host"</query> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-09-2023 05:36 AM