I have multiple Input text boxes with comma separated input text values.
below is my requirement.
Box1 have domain names e.g. (www.abc.com, www.xyz.com)
Box2 have multiple MD5 hashes ( 'sdfsdfsdfsdf6546545645646','6564654654564654654564sd')
Now I want that If i put comma seperated input to Box1 test box, it should open a search panel and show me the results.
and If copy MD5 comma seperated hashes to Box2 text box, then the panel1 should show me the results from Box2.
and IF THERE IS NO INPUT AT ALL IN BOTH INPUTS BOXES THEN THE SEARCH PANEL ALSO SHOULD DISAPPEAR AND NO SEARCH SHOULD RUN IN BACKGROUND
<form>
<label>Threat_Intelligance</label>
<description>Include a multiselect input.</description>
<!-- Independent search to set the required filter from comma separated value in text box -->
<!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") -->
<search>
<query>| makeresults
| fields - _time
| eval iocFilter=$ioc1|s$
| eval md5Filter=$md5|s$
| eval iocFilter="url IN (\"".replace(iocFilter,",","\",\"")."\")"
| eval md5Filter="process_md5 IN (\"".replace(md5Filter,",","\",\"")."\")"
</query>
<done>
<set token="tokIOCFilter">$result.iocFilter$</set>
<set token="tokmd5Filter">$result.md5Filter$</set>
</done>
</search>
<fieldset autoRun="true" submitButton="true">
<input type="text" token="ioc1" searchWhenChanged="true">
<label>URL</label>
<change>
<condition>
<set token="tokIOCFilter">$result.iocFilter$</set>
</condition>
</change>
</input>
<input type="text" token="md5">
<label>md5</label>
<change>
<condition>
<set token="tokmd5Filter">$result.md5Filter$</set>
</condition>
</change>
</input>
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=proxy OR index=edr ($tokIOCFilter$ OR $tokmd5Filter$)</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>
You are doing waaaaaaaaaaaaaay too much work. First of all, I think your modification from OR
to IN
is silly, and that was the beginning of all of your problems. But presuming that you have some need for this, I have made that work (again, without that, your dashboard would have been brain-dead simple and worked the on the first try):
<form>
<label>Threat_Intelligance</label>
<description>Include a multiselect input.</description>
<fieldset autoRun="true" submitButton="true">
<input type="text" token="ioc1">
<label>URL</label>
<change>
<condition match="len($value$)==0">
<unset token="ioc1"></unset>
</condition>
<condition>
<eval token="ioc1">"url IN (\"" . replace($value$, ",", "\", \"") . "\")"</eval>
</condition>
</change>
</input>
<input type="text" token="md5">
<label>md5</label>
<change>
<condition match="len($value$)==0">
<unset token="md5"></unset>
</condition>
<condition>
<eval token="md5">"process_md5 IN (\"" . replace($value$, ",", "\", \"") . "\")"</eval>
</condition>
</change>
</input>
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row depends="$ioc1$ $md5$">
<panel>
<title>ioc1="$ioc1$", md5="$md5$"</title>
<event>
<search>
<query>index=proxy OR index=edr ($ioc1$ OR $md5$)</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>
Personally, I would ditch the Submit
button and set everything else to searchWhenChanged=true
.
hi wood,
that's an interesting approach,
I found that when I give input in bot text boxes then results appear, whereas I need one input at one time.
i believe below parameters are causing this.
<row depends="$ioc1$ $md5$">
HOW CAN WE FIX THIS.
@riqbal47010 Can you try the following steps one by one
1. Add searchWhenChanged="true"
to md5 text box.
2. Remove Submit Button i.e. submitButton="false"
If the token behavior is still not as expected please let us know which scenario does not work (expected behavior vs actual behavior).
Also refer to one of my older answers to understand Default and Submitted token models in Splunk: https://answers.splunk.com/answers/742451/searchwhenchangedfalse-not-honored-1.html
This works at last.