A search inside a dashboard

jwhughes58 · ‎04-10-2017

All,

I have a dashboard that does a search via IP address. It has two fields, ip address and hostname. What I'm trying to do is take the hostname and search our assets table for the hostname and return the ip address to use in the search when the user enters a hostname instead of an ip address. The dashboard has the following:

<form script="autodiscover.js">
  <label>Entity Explorer JWH</label>
  <fieldset submitButton="true">
    <input type="text" token="input_ip">
      <label>Search Ip</label>
    </input>
    <input type="text" token="input_host">
      <label>Search Host</label>
    </input>
    <input type="time" token="timePicker">
      <label>Time Picker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search id="firewall">
    <query>index=firewall src_ip=$input_ip$</query>
    <earliest>$timePicker.earliest$</earliest>
    <latest>$timePicker.latest$</latest>
  </search>

Any ideas on how I can accomplish this?

TIA
Joe

jwhughes58 · ‎04-13-2017

Thanks @nikenilay. After rethinking I eventually used an input box that takes either ip or hostname. I then used a subsearch to find the ip even if given the ip. Not an elegant solution but it works.

niketn · ‎04-11-2017

UPDATED Answer to use two text boxes to perform host to IP lookup and IP override, since dropdown is not an option. Following is run anywhere search with host="test" and clientip="127.0.0.1". It has a dummy search to perform host to clientip lookup and set the Text Box with required IP to perform search. Replace search with your own lookup query. Please try out and let me know how it goes.

I have also used depends to hide panel until client ip is selected.

<form>
  <label>Host Client IP Lookup via Text Box No Dropdown</label>
  <fieldset submitButton="false">
    <!-- Text Box to Provide Host for Lookup-->
    <input type="text" token="selHost">
      <label>Select Host</label>
      <change>
        <set token="lookupHost">$value$</set>
      </change>
    </input>

    <!-- Text box to provide Client IP either through host lookup or directly-->
    <input type="text" token="selIP" searchWhenChanged="true">
      <label>Select IP</label>
      <change>
        <set token="searchIP">$value$</set>
      </change>
    </input>
  </fieldset>

<!-- Search selected host in the asset and return clientip-->
<search>
  <query>| makeresults
| eval host="Test"
| eval clientip="127.0.0.1"
| search host="$lookupHost$"
| table clientip</query>
  <finalized>
    <!-- If not match based on selected host then clear IP Text Box(default Client IP Code may go here -->
    <condition match="$job.resultCount$==0">
      <unset token="selIP"></unset>
      <unset token="form.selIP"></unset>
    </condition>
    <!-- Host Matched an IP set IP address -->
    <condition>
      <set token="selIP">$result.clientip$</set>
      <set token="form.selIP">$result.clientip$</set>
    </condition>
  </finalized>
</search>

  <row>
<!-- Hide Panel if Client IP is matched -->
    <panel depends="$selIP$">
      <table>
        <search>
          <query>index=_internal sourcetype=splunk_web_access clientip="$selIP$"
| stats count by host, clientip</query>
          <earliest>@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>
  </row>
</form>

@jwhughes58... Since you have an asset for mapping host to ip address (I am assuming a lookup table), you should consider using dropdown for host selection instead of text box. Host dropdown will allow you to run query to fetch host/ip mapping and use the same as label and value for the dropdown. If you are using lookup file you can consider inputlookup or lookup command for the same.

Refer to the following run anywhere example using Splunk _internal index and loopback address 127.0.0.1. This example uses clientip which will change to src_ip and makeresults command which will change with inputlookup for you.

<form>
  <label>Splunk Host IP Mapping via lookup</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="selHost">
      <label>Select Host</label>
      <change>
        <set token="selIP"></set>
        <set token="form.selIP"></set>
      </change>
      <choice value="*">All</choice>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>clientip</fieldForValue>
      <search>
        <query>| makeresults
| eval host="Test"
| eval clientip="127.0.0.1"
| table host, clientip</query>
      </search>
      <change>
        <set token="selIP">$value$</set>
        <set token="form.selIP">$value$</set>
      </change>
    </input>
    <input type="text" token="selIP" searchWhenChanged="true">
      <label>Select IP</label>
      <change>
        <set token="searchIP">$value$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunk_web_access clientip="$selIP$"
| stats count by host, clientip</query>
          <earliest>@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jwhughes58 · ‎04-12-2017

@niketnilay Nice idea but it won't work with the data I have. There are almost 900,000 items that would be in the pulldown. I need to think more about the question.

niketn · ‎04-12-2017

@jwhughes58... I have updated my answer with text box for host instead of dropdown. I have moved search query from dropdown to a dummy search. Please see if it fits your needs and revert back!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

A search inside a dashboard

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life