All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hey dwaddle!! Please read this question one more time - How can i changed query in xml (eval ip_addr="\"".ip_addr."\"")

ilove275
Path Finder
‎10-09-2011 07:16 PM

This query is successively executed in Search bar. But It is not work in dashboard.
eval ip_addr="\"".ip_addr."\"" =>> How can i changed query in xml

i try to change that
eval ip_addr="\"".ip_addr."\"" => eval ip_addr="\"& quot;.ip_addr."\"& quot;

eval ip_addr="\"".ip_addr."\"" => eval ip_addr=& quot;\& quot;& quot;.ip_addr.& quot;\& quot;& quot;

index="01_firewall" sourcetype="01_firewall"
[search index=webping | rename ping_url as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
| fields SourceIP DestinationIP Count Action PacketSize 

        | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
        | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
        | ***eval ip_addr="\"".ip_addr."\""*** | rename ip_addr as search]

        | search 
        | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
        |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize

=============================== dashboard xml==================================

<view template="dashboard.html">
  <module name="SideviewUtils" layoutPanel="appHeader" />
  <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="search">index=webping sourcetype=webping | timechart span=2m avg(time_in_ms) as avg by ping_url | fields - OTHER</param>
    <param name="earliest">-1h</param>

    <module name="HiddenChartFormatter">
      <param name="charting.chart">line</param>

      <module name="JobProgressIndicator"/>

      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">160px</param>
        <param name="enableResize">False</param>
    <!-- ==================================== ======================================================================================== -->
        <module name="Search">
          <param name="search">index="01_firewall" sourcetype="01_firewall" 
  [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
  | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search] 
  | fields SourceIP DestinationIP Count Action PacketSize 

  | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
  | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
  | eval ip_addr="\"".ip_addr."\"" | rename ip_addr as search]

  | search 
  | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
  |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
          </param>
          <param name="earliest">-15m</param>
          <module name="ConvertToIntention" layoutPanel="panel_row2_col2" group="Fire Wall">
            <param name="intention">
              <param name="name">stringreplace</param>
              <param name="arg">
                <param name="url">
                  <param name = "value">$click.name2$</param>
                </param>
              </param>
              <param name="flags"><list>indexed</list></param>
            </param>
            <module name="JobProgressIndicator"></module>
            <module name="SimpleResultsTable">
              <param name="count">20</param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎01-03-2013 10:03 PM

I think the only problem is that you're using Sideview modules, but then you're still trying to use intentions. Sideview's Search module will do its own $foo$ replacement, and after that your stringreplace intention will have nowhere to go.

Fix is surprisingly simple.

1) Dont use the ConvertToIntention module at all. Delete it.

2) Just put $click.name2$ directly into the Search - dont use $url$ at all.

Here's a copy of the cleaned up XML. 

<view template="dashboard.html">
  <module name="SideviewUtils" layoutPanel="appHeader" />
  <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="search">index=webping sourcetype=webping | timechart span=2m avg(time_in_ms) as avg by ping_url | fields - OTHER</param>
    <param name="earliest">-1h</param>

    <module name="JobProgressIndicator"/>

    <module name="HiddenChartFormatter">
      <param name="charting.chart">line</param>

      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">160px</param>
        <param name="enableResize">False</param>

        <module name="Search">
          <param name="search">index="01_firewall" sourcetype="01_firewall" 
  [search index=webping | rename ping_url as url| dedup url| fields url| search $click.name2$ 
  | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search] 
  | fields SourceIP DestinationIP Count Action PacketSize 

  | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
  | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
  | eval ip_addr="\"".ip_addr."\"" | rename ip_addr as search]

  | search 
  | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
  |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
          </param>
          <param name="earliest">-15m</param>

          <module name="JobProgressIndicator"></module>

          <module name="SimpleResultsTable">
            <param name="count">20</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>

I have some other suggestions about your searches, although that's not what you're asking about --
Extra1: You might want to also rewrite your search that begins with:

[search index=webping | rename ping_url as url| dedup url| fields url| search $click.name2$

as

[search index=webping $click.name2$ | rename ping_url as url| dedup url| fields url

as this will have considerably better performance. The first version gets everything off disk and only then filters based on the searchterms. Actually if you're using a relatively recent 2.2.X version of Sideview Utils you can just use $click.searchTerms$ instead of $click.name2$

Bonus2: You may also want to think about rewriting this:

search index=webping $click.name2$ | rename ping_url as url| dedup url| fields url
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]

as something more like:

search (index="webping" $click.searchTerms$ ) OR ( index="lookup" sourcetype="url_info" | stats last(ip_addr) as ip_addr by url | rename ip_addr as search

because as a disjunction it'll give you much better performance than join and you wont hit limits in number of rows or length of execution.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-13-2011 08:27 PM

This stumps me. I've tried using your dashboard here on my test box, and I can't even get both panels to display. It might just be that I don't have the data to drive the drilldown or something. But, I'm just not sure if your view XML is 'correct'. For now, let's assume that it is, and the only problem is with your search.

As you know, certain characters are special to XML, and it gets fussy about using them in a general sense in the document. XML provides a special tag called CDATA that basically says "until you see the special end-of-CDATA sequence, anything goes. Treat it all as plain text and do not attempt to further parse." Lots of complex Splunk searches need to be wrapped in CDATA to work in the XML views.

Gkanapathy gives a simple example at http://splunk-base.splunk.com/answers/3435/escape-and-in-the-xml-of-dashboards but the basics of it are

<![CDATA[  --your search goes here-- ]]>

Try wrapping your search with CDATA tags and see if that makes it work. If not, I would highly suspect the design of your view.

Reply

lanying
Explorer
‎10-10-2011 07:36 PM

Now, Dashboard xml appended.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-10-2011 12:35 PM

Can you post the XML from your dashboard / view where it contains your search?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...