Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Nextbeat
Nextbeat
Path Finder
Member since:
11-17-2017
09-13-2023
Community Statistics
| Posts | 33 |
| Solutions | 0 |
| Karma Given | 120 |
| Karma Received | 1 |
| Member Since | 11-17-2017 |
Activity Feed
- Karma Re: How to get current GMT time? for to4kawa. 09-13-2023 07:48 AM
- Karma Re: Convert TimeFormat for bojanz. 09-13-2023 07:47 AM
- Karma Re: "In the last 30 Days" VS "Last 30 Days" for yannK. 10-25-2021 11:35 AM
- Karma Re: eval wildcards for lguinn2. 10-21-2021 03:22 PM
- Karma Re: what is the format to use for a date in a search / dashboard for yannK. 10-19-2021 02:17 PM
- Karma Re: How to format _time field in results email? for ziegfried. 10-19-2021 11:43 AM
- Karma Re: How to format _time field in results email? for southeringtonp. 10-19-2021 11:40 AM
- Karma Re: Capitalize the first character of a string value using eval or field format? for scentoni_splunk. 09-28-2021 02:48 PM
- Karma Re: Regex field != expression not matching for gvmorley. 08-30-2021 08:31 AM
- Karma Re: convert time format for kristian_kolb. 04-29-2021 10:35 AM
- Karma Re: Heatmap in Dashboard for sideview. 02-19-2021 05:39 AM
- Karma Re: case: defaulting to "value" rather than NULL for sowings. 12-28-2020 09:45 AM
- Karma Re: How to rotate a table using transpose, remove the first row, and rename the column headers? for acharlieh. 12-25-2020 12:27 PM
- Posted Re: Disable drilldown on specific cell in SimpleResultsTable on Dashboards & Visualizations. 12-01-2020 11:54 PM
- Karma Re: Prevent duplicate IP lookups by verifying it hasn't been used previously for Richfez. 10-13-2020 07:26 AM
- Posted Prevent duplicate IP lookups by verifying it hasn't been used previously on Splunk Search. 10-12-2020 03:35 PM
- Karma Re: Difference between last(X) and latest(X) for dart. 09-15-2020 02:56 PM
- Karma Re: Changing Time Format for micahkemp. 09-15-2020 02:18 PM
- Posted Re: In a dashboard, how can I remove the panels that say "No results found." with code or something equivalent on Dashboards & Visualizations. 09-02-2020 01:02 PM
- Posted Re: In a dashboard, how can I remove the panels that say "No results found." with code or something equivalent on Dashboards & Visualizations. 09-02-2020 12:58 PM
Topics I've Started
12-01-2020
11:54 PM
@mgranger1 it didn't work because the specific element needed to be used. I started by clicking on the Select an element in the page to inspect it DevTool (F12) feature and clicked on a _time value. For this example, the element was .table-drilldown>tbody>tr>td:hover { (*Hint* Highlight the field, once the desired hover element appears, right click the field, highlight the element reference, and you'll be able to copy it before disappearing). Hover color To get it to work, I didn't include the whole reference, but only entered td:hover { (notice #test was added and will be explained below). Hover color overwritten You would redo the process for the highlighted element to change the cursor. Highlight cursor Here is what both changes looked like after editing the XML (notice the cursor highlighted on the right): Highlight cursor overwritten The text color was changed to black, and the cursor was set to text. Now that you've seen the element style changes, let's take a look at the code. First I should mention adding a panel ID to prevent unwanted changes to the dashboard. Then use this ID along with the mentioned element above, so under <row><panel><html depends="$hiddenForCSS$"><style> I added #test td:hover {. After that, I added the desired style changes color: #000 and cursor: text. To make sure these modifications would take effect, at the end I added !important; to each of the lines. Finally, I ended the section with } </style></html></panel></row>. XML Code
... View more
10-12-2020
03:35 PM
Our department has created a Splunk integration that performs API lookups against IPQualityScore. One of our searches was augmented with the returned data by adding extra fields for context (fraud_score, recent_abuse, vpn, tor, etc.). Unfortunately, the integration doesn't keep the results, so I used outputlookup to store them. While we have a reasonable amount of API queries, I was trying to figure out a way to check if an IP was previously used, append the results and prevent a duplicate lookup if it was. Otherwise, perform the lookup and append the results. This was the query that was used: index=*_auth sourcetype="azure:aad:signin" userAgent=CBAInPROD riskEventTypes_v2{}=* 8.8.8.8
| rename authenticationDetails{}.succeeded as loginStatus,authenticationDetails{}.authenticationMethod as mfaAuthMethod,authenticationDetails{}.authenticationMethodDetail as mfaAuthDetail,status.additionalDetails as mfaResult,status.failureReason as failureReason,location.city as city,location.state as state,location.countryOrRegion as country,ipAddress as SourceIP,location as Location,userAgent as UserAgent,appDisplayName as Application,riskState as RiskState,riskEventTypes_v2{} as RiskEventType,riskLevelAggregated as RiskLevel,riskLevelDuringSignIn as SignInRisk,conditionalAccessStatus as Status
| eval mfaAuthDetail=if(mfaAuthDetail="","-",mfaAuthDetail),city=if(city=="","N/A",city),state=if(state=="","N/A",state),country=if(country=="","N/A",country),Location=city.", ".state.", ".country,User=if(isnull(userDisplayName),userPrincipalName,userDisplayName)
| fillnull value="-"
| stats count by User,SourceIP,Location,Application,UserAgent,RiskEventType,RiskState,RiskLevel,SignInRisk,Status
| fields - count
| lookup ipqs clientip as SourceIP
| outputlookup append=true override_if_empty=false ipqs.csv
| rename bot_status as Bot,city as City,country_code as Country,fraud_score as Fraud_Score,latitude as LAT,longitude as LONG,mobile as Mobile,proxy as Proxy,recent_abuse as Abuse,success as Success,tor as TOR,vpn as VPN
| table User,SourceIP,Location,Application,UserAgent,RiskEventType,RiskState,RiskLevel,SignInRisk,Status,
Bot,City,Country,Fraud_Score,LAT,LONG,Mobile,Proxy,Abuse,Success,TOR,VPN
| sort 0 User
... View more
Labels
- Labels:
-
lookup
09-02-2020
01:02 PM
For each visualization (table, chart, single, etc.), you'll need to add that code.
... View more
09-02-2020
12:58 PM
To get it to work, I had to add an unset condition along with a set conditional so that when it did find events, the table would appear: <table depends="$show_panel$">
<search>
<query></query>
<progress>
<condition match="'job.resultCount'==0">
<unset token="show_panel">true</unset>
</condition>
<condition>
<set token="show_panel"></set>
</condition>
</progress>
</search>
</table>
... View more
04-14-2020
09:39 AM
Thanks for reminding me that Sed can do this, but was originally curious about the eval way.
... View more
09-28-2019
08:08 AM
Here's a snippet of what I captured and used for the code:
Here's a screenshot of what it looks like before and after:
... View more
09-28-2019
08:01 AM
You only see the hover code if you place the mouse above the desired field and don't click on it. I had to use the screenshot key to capture the code. Here's another example:
<dashboard theme="dark">
<label>Test</label>
<row>
<panel>
<title>Test</title>
<table>
<search>
<query>sourcetype="WinEventLog:Security" | table _time ComputerName Account_Name EventCode</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">all</option>
<drilldown>
<!--Disables the click function for the defined field, which directs to the search results-->
<condition field="ComputerName"></condition>
</drilldown>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
/* Add a dependency so that it won't be displayed in the dashboard */
<html depends="$hiddenForCSS$">
<style>
td.string.highlighted:hover {
/* Change from blue (#006ea) to black */
color: #000 !important;
/* Remove underline effect whenever mouse hovers above field */
text-decoration: none !important;
/* Change cursor effect from pointer to text */
cursor: text !important;
}
</style>
</html>
</panel>
</row>
</dashboard>
... View more
10-10-2018
07:18 AM
Sorry replying to an old post. Use the following:
<table>
<search>
<query></query>
</search>
<option name="drilldown">all</option>
<drilldown>
<!--Disables the action that brings up the search results for the whole table-->
<condition value="unused"></condition>
</drilldown>
</table>
Now you can define specific click functions without worrying about the default action. Just make sure that you place any other conditions above this one.
... View more
10-10-2018
06:14 AM
1 Karma
First use the answer above to disable a column's field:
<table>
<search>
<query></query>
</search>
<option name="drilldown">all</option>
<drilldown>
<!--Disables the click function for the defined field, which directs to the search results-->
<condition field="<column_name>"></condition>
</drilldown>
</table>
Then use HTML/CSS code to remove the style.
Before modifying the style within the SimpleXML editor for the dashboard (Edit > Edit Source XML):
1. Disable the field by using the example above.
2. Right click on a disabled field value.
3. Click on Inspect/Inspect Element (this should bring up the style for that field) and this should open up Developer Tools.
4. Click on the field that you are inspecting and this should bring up the CSS code that needs to be modified (if you didn't disable the field in step 1, you may be redirected to the search results).
5. Under Rules/Styles you should see something similar to (notice the word hover😞
.element1 .element2:hover {
color: #3863a0;
text-decoration: underline;
cursor: pointer;
}
6. Note the elements that are listed because you are going to use them.
7. Add HTML/CSS code to remove the style using the information from step 6.
Here's an example to remove the links for time from a list display table:
<panel>
/* Add a dependency so that it won't be displayed in the dashboard */
<html depends="$hiddenForCSS$">
<style>
.shared-eventsviewer .formated-time:hover {
/* Change from blue (#3863a0) to black */
color: #000 !important;
/* Remove underline effect whenever mouse hovers above field */
text-decoration: none !important;
/* Change cursor effect from pointer to text */
cursor: text !important;
}
</style>
</html>
</panel>
View this answer for making a global change that'll affect every dashboard:
https://answers.splunk.com/answers/330361/how-to-apply-custom-css-to-a-dashboard.html
... View more
09-10-2018
12:34 AM
Definitely better to define things that can't be controlled directly without accessing the backend.
... View more
06-02-2018
10:01 PM
Thanks for the help @jeffland
... View more
06-02-2018
09:58 PM
Thanks for the explanation!
... View more
05-29-2018
04:25 AM
I accepted your answer because there was no way to get my solution to work without the URLs being encoded. I hard-coded a table for the click functions and created a user definable post search panel below that. That way, users can still view the raw events, have click functions, and still have the option for running stats, creating a table, etc. Why is there a period between "ipinfo.io/" and $click.value2$? Also, why does the second click.value2 have no dollar signs, but quotes?
... View more
05-24-2018
06:23 AM
Thanks for the solution, but users would mostly view the events without adding tables or regex. I could hard code a solution, but the focus is more towards quick views. It's supposed to be a threat hunting panel to identify malicious events and pivot to other surrounding events that are related. I'm just adding features to help automate the process. Also, I'm using Splunk 6.3.1, so $token|n$ would not work. Finally, I currently don't have permissions to add JavaScript.
... View more
05-24-2018
05:51 AM
You can easily assign different targets to a single event if there are tokenized fields to work off of. This niche case seems harder because it requires assigning different click.value2 targets to raw events with undefined fields. It didn't matter if there were other conditions to follow. The target would always direct to the first link associated with the click.value2 based on previous trials. Maybe you can answer a semi-related question. Why does a query that was assigned through a text input process searches differently than actually running it within the search app? While searching through the search app, there are default fields that could be used as targets, but they are missing when trying to query off a text input.
... View more
