Splunk Search

If/Else Conditions in a form base on Dropdown Selection

jaywilwk
Engager

I've created a form that has a dropdown where users can select their sourcetype. Within each sourcetype, the fields are different. Is there a way for me to have the associated fields available based on the sourcetype that the user selects? If so how do I do this? Below is my form.

<form>
<label>Threat Dashboard</label>
   <fieldset autoRun="false" submitButton="true">
      <input type="text" token="src_ip">
      <label>Source IP:</label>
      <default>*</default>
    </input>
      <input type="text" token="src_port">
      <label>Source Port:</label>
      <default>*</default>
    </input>
    <input type="text" token="dst_ip">
      <label>Destination IP:</label>
      <default>*</default>
    </input>
    <input type="text" token="dst_port">
      <label>Destination Port:</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="sourcetype">
      <label>Select Sourcetype:</label>
      <default>pan_traffic</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype" earliest="-120m" latest="-90m">
        <![CDATA[index=* | stats count by sourcetype]]>
      </populatingSearch>
    </input>
    <input type="time" searchWhenChanged="false">
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
       </input>
  </fieldset>
    <row>
    <table>
      <title>Investigate Source IP: $src_ip$</title>
      <searchString>sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table src_ip, dst_ip, action, src_port, dst_port</searchString>

    </table>
  </row>
  </form>
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this in you searchString for the table.

  sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table [|stats count| eval search=case("$sourcetype$"="proxysg","src_ip, dst_ip, action","$sourcetype$"="pan_traffic","action, src_port, dst_port", 1=1,"src_ip, dst_ip, action, src_port, dst_port")  | table search]

Update:

sourcetype=$sourcetype$  [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$" 
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval client_ip="$src_ip$" 
| eval dest_ip="$dst_ip$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| eval host=port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip,dest_ip,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip, dst_ip,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host" ,
1=1,"")  | table search] | format]
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip, dest_ip, action,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip,dst_ip,action,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host,action,syslog_message" ,
1=1,"*")  | table search]

View solution in original post

0 Karma

Lazarix
Communicator

You want something similar to this, I believe:

Possible Solution

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this in you searchString for the table.

  sourcetype=$sourcetype$ src_ip=$src_ip$ dst_ip=$dst_ip$ src_port=$src_port$ dst_port=$dst_port$ | table [|stats count| eval search=case("$sourcetype$"="proxysg","src_ip, dst_ip, action","$sourcetype$"="pan_traffic","action, src_port, dst_port", 1=1,"src_ip, dst_ip, action, src_port, dst_port")  | table search]

Update:

sourcetype=$sourcetype$  [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$" 
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval client_ip="$src_ip$" 
| eval dest_ip="$dst_ip$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| eval host=port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip,dest_ip,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip, dst_ip,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host" ,
1=1,"")  | table search] | format]
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","client_ip, dest_ip, action,port",
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat","src_ip,dst_ip,action,src_port,dst_port", 
"$sourcetype$"="ciscoios", "host,action,syslog_message" ,
1=1,"*")  | table search]
0 Karma

jaywilwk
Engager

I tried adding an eval host=$src_ip$ but that didn't work. I've also tried going the eval split route like you did with the port splitting into src_port and dst_port.

0 Karma

jaywilwk
Engager

ok, when I did a search selecting ciscoios in the dropdown the table returned results for all the fields except for the action field. Also, when I tried to do a search against a specific host in the Source IP: box, it just did an open search with all results.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try that again now.

0 Karma

jaywilwk
Engager

I got a mismatch '['. error

0 Karma

somesoni2
SplunkTrust
SplunkTrust

See if the updated answer looks ok.

0 Karma

jaywilwk
Engager

I was able to figured out most of it, but I can't get the action field to display. the fields for ciscoios would be host="$src_ip$" OR "$dst_ip$" and there is nothing for port. I would like to show syslog_message for the ciscoios sourcetype.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What are the filters for ciscoios (like for proxysg its client_ip="$src_ip$" dest_ip="$dst_ip$" port=$src_port$ OR port=$dst_port$)?

0 Karma

jaywilwk
Engager

would it be possible for you to help me with the ciscoios one? The fields that I would like to display for ciscoios would be host and action.

0 Karma

jaywilwk
Engager

There's another sourcetype I wanted to add into this. It will be ciscoios and the fields that will show are host and action.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Just replace all instance of
"$sourcetype$"="pan_traffic"
with
"$sourcetype$"="pan_traffic" OR "$sourcetype$"="pan_threat"

0 Karma

jaywilwk
Engager

it worked. Greatly appreciate it. there's a pan_threat sourcetype available in the dropdown as well and the fields are the same as pan_traffic, but I'm not getting any data when I select that as a sourcetype.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So if below returns you results, then try the updated answer.

sourcetype=proxysg ( ( client_ip="*" AND dest_ip="*" AND port="*" ) OR ( client_ip="*" AND dest_ip="*" AND port="*" ) ) | table client_ip, dest_ip, action,port

0 Karma

jaywilwk
Engager

it doesn't return any data for me. the fields for proxysg are client_ip and dest_ip instead of src_ip and dst_ip.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I created the same dashboard (with my query) and the final query being executed (I can see results as I don't have the data) is below (for sourcetype selected as proxysg and all default dropdown values):-

sourcetype=proxysg ( ( dst_ip="*" AND port="*" AND src_ip="*" ) OR ( dst_ip="*" AND port="*" AND src_ip="*" ) )
| table src_ip, dst_ip, action,port

can you validate if this query returns data for you?

0 Karma

jaywilwk
Engager

I get results back when I select pan_traffic as my sourcetype but nothing back when I select proxysg as my sourcetype from the dropdown.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does this returns records with both sourcetype is selected.

sourcetype=$sourcetype$ [|stats count | eval src_ip="$src_ip$" | eval dst_ip="$dst_ip$"
| eval src_port="$src_port$" | eval dst_port="$dst_port$" | eval port=split("$src_port$,$dst_port$",",") | mvexpand port
| table [|stats count| eval search=case(
"$sourcetype$"="proxysg","src_ip,dst_ip,port",
"$sourcetype$"="pan_traffic","src_ip, dst_ip,src_port,dst_port",
1=1,"") | table search] | format]

0 Karma

jaywilwk
Engager

I tried the update and I didn't get any results when proxysg was the sourcetype.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try updated answer now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...