Splunk Enterprise Security

How to make a dashboard input to use multiple values as an input?

kokanne
Communicator

Hello,

I'm trying to make a dashboard input to use multiple values as input. I don't know how to make the query work properly. I am using eval to expand the values, but how to I use a token and implement it into my search?

Here is the query I have now:

-snip-
This doesn't work, by the way.
Does anyone know how to achieve my goal?

Thanks in advance!

0 Karma

landen99
Motivator

Load the values into a lookup table. Use a multi-select input to load the lookup and format each value into a token. Add the token to a panel.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Take a look at the format command.

If you have a search that produces field/value pairs that you are looking for... for example

your search that produces events
| table field1 field2 

that produces this

field1   field2   
value1a  value1b
value2a  value2b
... and so on

Then if you send that data to | format, it comes out like this

( ( field1="value1a" AND field2="value1b" ) OR ( field1="value2a" AND field2="value2b" ) OR ... )

The format command is implicitly executed at the end of a subsearch, and passes the return value of the subsearch back outside the subsearch to allow you to create a complex search command.

0 Karma

kokanne
Communicator

I need to search in one field, par example called "CVE", the user input into the dashboard would look like this:

2015-1212 OR 2015-2121 OR 2015-1122

I want them to be able to search for multiple CVE entries. Multi-select in dashboard form does not work.

Would format work for this?

0 Karma

Vijeta
Influencer

You are defining tokens as text inputs? you can define multi-valued input instead of text box. Define delimeter for your multivalued input if any , make use of IN operation is your search query to compare field with the multi-valued token.

From where are you currently getting the token values? May be a detailed example would help.

0 Karma

kokanne
Communicator

HI, using multi-value doesn't work. It will say "Populating Fields" and then give an error that it can't populate. I've tried all different combinations and nothing is working

0 Karma

p_gurav
Champion

Can you give some sample data?

0 Karma

niketn
Legend

Also more details on what input is being used (simple xml code) and sample data for the input. What are the tokens $qid_text$ and $ref$? What is CVE field (if is is from lookup file what are some of the sample values).

Can you give sample data from stats to be displayed as your final output? You can mock /anonymize any sensitive information.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kokanne
Communicator

Sure.

CVE = 2015_1234
ID = 198877
Ref: AAA-1122-1

0 Karma

kokanne
Communicator

No, sorry, it's confidential. It has to do with virus signatures.

0 Karma

p_gurav
Champion

when you are doing | search QID=$qid_text$ CVE=($cve_id$) REFERENCE=$ref$ all three fields are present in every event?

0 Karma

kokanne
Communicator

Yes. Examples are:

CVE = 2015_1234
ID = 198877
Ref: AAA-1122-1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...