Dashboards & Visualizations

How to implement a logic to build dashboard using the token as a common input field for all the panels?

Hemnaath
Motivator

Hi All,
Currently, I have been requested to build a dashboard to pull the IP address information from various sources of an index.
Based on the requirement, I had created a two common input field (Text input and Time picker input) using the token to sync the value to all the panels.

Dashboard Panel output Details:
1) Host Name (DNS resolved lookup)
2) DNS queries for this IP address
3) DHCP history for this IP address
4) Firewall log for this IP address
5) Proxy log for this IP address
6) Citrix connection for this IP address

All the above dashboard panels share different index details but they have these one field common "src".

Challenge: using the common field "src" I have passed the token value but I am finding it difficult to get the output for all the six dashboard panels.

EXample:

Suppose if the IP address is 10.140.20.22, when this applied in the input token and filter with time picker, I am getting the output to some of the dashboard panels, for other dashboards it shows no result found.

Query Details:
Dashboard 1:

index=network sourcetype=infoblox:network:dhcp src="$IP$" | dedup src | lookup dnslookup clientip as src OUTPUT clienthost as Hostname | table  Hostname

Dashboard 5:

index=application sourcetype=citrix:netscaler:syslog  | rex field=src "(?(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}))" | search src="$IP$" | rename src as Source |table Source Destination NatIP Vserver dvc 

In this panel, I am getting no result found.

Exact requirement:

Need to know whether the logic is correct by taking the common field as "SRC" and passing the input value to this field.

Kindly guide me on this.

0 Karma

xpac
SplunkTrust
SplunkTrust

Hey,

your regex/rex is broken.

You use rex field=src "(?(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})).
When you put that regex into regex101.com, you'll see it's not valid.

So, let's start by fixing the regex - use rex "(?<src>(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})).

I also removed the src=field, because that does tell rex in which field to search, not to which field to extract to.
You most likely want to use in the complete event (which would be field=_raw, which is also the default for rex).

So, the line above should properly extract the IP address to the src field, and you should be able to search for it with your token.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...