Splunk Search

How to create and use a form input to run searches on data from multiple sources?

hartfoml
Motivator

I would like to create a look-up tool for my incident responders. they often only have an IP and I would like to be able to have a form search that they put the IP into to find all info about that IP

Items that should be displayed would include, but are not limited to

1) Last DNS record
2) Last DHCP record
3) Last VPN record
4) Last IDS record
5) Inventory database record
5a) use last login from inventory to look-up user info from people database
6) Scan Database Record
7) Last 5 firewall records
8) Last 5 proxy records
9) etc

Right now the analysts do this using the search app. I have all the searches and I know where all the data is. I just don't know how to use the form input to run multiple searches and present all the data in different windows that can be pivoted to the search all for more investigation.

Can anyone give me an example of how to do this? I mean other than buying the Enterprise Security App 🙂

Thanks in advance for your help.

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Start out in the search bar and create a search that shows a set of data for a particular IP address. Save this search as a Dashboard Panel on a new Dashboard ( Save as ). Keep doing this and adding new Dashboard Panels to the same Dashboard. Once you have all the Dashboard Panels hard-coded showing everything the way you like, then click "Edit Source" and change the top line from <dashboard> to <form> and the last line from </dashboard> to </form>. Then add this to the top part after the <label> line:

<fieldset autoRun="true" submitButton="false">
  <input type="text" token="ip_token">
    <label>IP Address</label>
    <default></default>
  </input>
  <input type="time" token="time_token" searchWhenChanged="true">
    <label>Select a time:</label>
    <default>Last 60 minutes</default>
  </input>
</fieldset>

Then find the search that populates each panel and replace your hard-coded IP address with the string $ip_token$ and change the time values for each search from whatever is there to $time_token.earliest$ and $time_token.latest$. Save and enjoy!

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

@hartfomi - if your question is resolved, please accept the answer that solved it. If none of them helped, then please let us know, or post your own solution and accept it if you solved the issue yourself.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do have a look at Splunk 6.x Dashboard example app here https://splunkbase.splunk.com/app/1603/

This apps comes various examples of different Simple xml dashboards that you can create, one of which is "Form_Input_Elements" where you can setup your data inputs and use the input value to different visualization.

0 Karma

woodcock
Esteemed Legend

Start out in the search bar and create a search that shows a set of data for a particular IP address. Save this search as a Dashboard Panel on a new Dashboard ( Save as ). Keep doing this and adding new Dashboard Panels to the same Dashboard. Once you have all the Dashboard Panels hard-coded showing everything the way you like, then click "Edit Source" and change the top line from <dashboard> to <form> and the last line from </dashboard> to </form>. Then add this to the top part after the <label> line:

<fieldset autoRun="true" submitButton="false">
  <input type="text" token="ip_token">
    <label>IP Address</label>
    <default></default>
  </input>
  <input type="time" token="time_token" searchWhenChanged="true">
    <label>Select a time:</label>
    <default>Last 60 minutes</default>
  </input>
</fieldset>

Then find the search that populates each panel and replace your hard-coded IP address with the string $ip_token$ and change the time values for each search from whatever is there to $time_token.earliest$ and $time_token.latest$. Save and enjoy!

cpt12tech
Contributor

This is a brilliant idea. I have 26 outputlookup reports running on schedule to populate tables. When I restart splunk I lose the data until the schedule kicks in for those reports. I was running all those reports by clicking on each one in the "searches, reports and alerts" section to repopulate the lookup file. Never thought about adding all those into a dashboard as an inline search. Now all I have to do is open that dashboard, all the outputlookup reports run and my data is repopulated!

0 Karma

woodcock
Esteemed Legend

You should click Accept on the answer to close the question.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...