Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to copy paste values for multiselect input

riqbal47010
Path Finder
‎01-05-2020 03:14 AM

@niketnilay

I want to create a IOC detection Dashboard. For that I have two solutions in my mind.

1- use threat intelligance framework
2- crate text input.

For 2nd Option. I am following @niketnilay reply aginst post: https://answers.splunk.com/answers/560149/how-to-add-a-list-input-to-a-splunk-dashboard.html

below is my XML code

<form>
  <label>Threat_Intelligance</label>
  <description>Include a multiselect input.</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="text" token="ioc1" searchWhenChanged="true">
      <label>URL</label>
      <change>
        <condition match="len($value$)&gt;0">
          <eval token="ioc1">split($value$,",")</eval>
          <eval token="form.ioc1">split($value$,",")</eval>
          </condition>
      </change>
    </input>
    <input type="text" token="domain">
      <label>Domain - email Domain</label>
    </input>
    <input type="text" token="md5">
      <label>md5</label>
    </input>
    <input type="text" token="sha256">
      <label>sha256</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=proxy $ioc1$ </query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
       </event>
    </panel>
  </row>
</form>

but there is no result.

my input is www.abc.com,www.xyz.com,www.aaa.com

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-05-2020 11:10 AM

@riqbal47010 in my example for question 560149, the Text Box sends the pasted comma separated value to the multi select and then multi select prepares the token to be passed to the Search Query.

In your case, do you want to copy paste the value to the text box which should pass over the value to the search? If so, what should be the final search filter to be used in the query?

The above is a simple straight-forward case (no need of processing by multi select), where you need to process input string and convert input string to required search filter token which can be done either through input change event handler or an independent search which sets the final token for filter to be used in the search query. Following is a run anywhere example based on the details and sample code provided by you.
For example the following input www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") token.

PS: <panel><title> prints the value of $tokIOCFilter$ for test purpose and <default> value of the text box ioc1 has been set to *

Please try out and confirm!

<form>
  <label>Threat_Intelligance</label>
  <description>Include a multiselect input.</description>
  <!-- Independent search to set the required filter from comma separated value in text box -->
  <!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") -->
  <search>
    <query>| makeresults
| fields - _time
| eval iocFilter=$ioc1|s$
| eval iocFilter="src_ip IN (\"".replace(iocFilter,",","\",\"")."\")"
    </query>
    <done>
      <set token="tokIOCFilter">$result.iocFilter$</set>
    </done>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="text" token="ioc1" searchWhenChanged="true">
      <label>URL</label>
      <default>*</default>
    </input>
    <input type="text" token="domain">
      <label>Domain - email Domain</label>
    </input>
    <input type="text" token="md5">
      <label>md5</label>
    </input>
    <input type="text" token="sha256">
      <label>sha256</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokIOCFilter: $tokIOCFilter$</title>
      <event>
        <search>
          <query>index=proxy $tokIOCFilter$ </query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎01-05-2020 11:41 PM

In continuation of above, in actual I want to build IOC detection dashboard. where we look for
1- URL
2- Domain names(email address). for the time being we need either sendername or complete sender email id
3- MD5
4- SHA-1|256
5- either external source or Destion IP Address

=================
Now if I want to check 2 OR 3 OR 4 OR fith value. How can I unset previous token value. ?
For 5th Option How can I achieve that if I put public IP in text then the query will check it for both fields (either src OR dest)

I really appreciate your support here.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-06-2020 01:57 AM

@riqbal47010 you can code that using <change> event handler for specific input. Do you want to apply only one filter at a time or all of them. If you want to set all of the filters then you will have AND filter, if you want to apply specific filter you can pass the value as default like "*" for all and run OR in your SPL like (i.e. instead of unset you should be setting remaining filters to * or leave as previously selected in case you default on Form Load),

URL="www.abcdef.com" OR MD5="*" OR SHA="*" etc

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎01-06-2020 03:43 AM

initially I dont want to load any search query OR text value output.
once I put comma seperated input to any box ( URL OR MD5 OR SHA) then the search panal appear and show me the results. and when I input 2nd panel then the search window refresh and show me the results accordingly. Further to that each requested value is in different index. e.g. URL in index=proxy , MD5 in index=antivirus and so on.
I have done some work. but both search windows apprear. one window with default time shows all results and other with input also search and shows the results.
below is my updated code.

<form>
  <label>test dashboard_tokens</label>
  <description>Include a multiselect input.</description>
  <!-- Independent search to set the required filter from comma separated value in text box -->
  <!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") -->
  <search>
    <query>| makeresults
  | fields - _time
  | eval iocFilter=$ioc1|s$
  | eval md5Filter=$md5|s$
  | eval iocFilter="url IN (\"".replace(iocFilter,",","\",\"")."\")"
  | eval md5Filter="process_md5 IN (\"".replace(md5Filter,",","\",\"")."\")"
      </query>
    <done>
      <set token="tokIOCFilter">$result.iocFilter$</set>
      <set token="tokmd5Filter">$result.md5Filter$</set>
    </done>
  </search>
  <fieldset autoRun="true" submitButton="true">


    <input type="text" token="ioc1" searchWhenChanged="true">
      <label>URL</label>
      <default>*</default>
    </input>


    <input type="text" token="md5" searchWhenChanged="true">
      <label>md5</label>
       <default>*</default>
    </input>

    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-1s@s</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

  <row>
    <panel>
      <title>tokIOCFilter: $tokIOCFilter$</title>
      <event>
        <search>
          <query>index=proxy $tokIOCFilter$</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>

    <panel>
      <title>tokmd5Filter: $tokmd5Filter$</title>
      <event>
        <search>
          <query> index=edr $tokmd5Filter$ </query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>

  </row>
</form>
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-05-2020 11:10 AM

@riqbal47010 in my example for question 560149, the Text Box sends the pasted comma separated value to the multi select and then multi select prepares the token to be passed to the Search Query.

In your case, do you want to copy paste the value to the text box which should pass over the value to the search? If so, what should be the final search filter to be used in the query?

The above is a simple straight-forward case (no need of processing by multi select), where you need to process input string and convert input string to required search filter token which can be done either through input change event handler or an independent search which sets the final token for filter to be used in the search query. Following is a run anywhere example based on the details and sample code provided by you.
For example the following input www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") token.

PS: <panel><title> prints the value of $tokIOCFilter$ for test purpose and <default> value of the text box ioc1 has been set to *

Please try out and confirm!

<form>
  <label>Threat_Intelligance</label>
  <description>Include a multiselect input.</description>
  <!-- Independent search to set the required filter from comma separated value in text box -->
  <!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") -->
  <search>
    <query>| makeresults
| fields - _time
| eval iocFilter=$ioc1|s$
| eval iocFilter="src_ip IN (\"".replace(iocFilter,",","\",\"")."\")"
    </query>
    <done>
      <set token="tokIOCFilter">$result.iocFilter$</set>
    </done>
  </search>
  <fieldset autoRun="true" submitButton="false">
    <input type="text" token="ioc1" searchWhenChanged="true">
      <label>URL</label>
      <default>*</default>
    </input>
    <input type="text" token="domain">
      <label>Domain - email Domain</label>
    </input>
    <input type="text" token="md5">
      <label>md5</label>
    </input>
    <input type="text" token="sha256">
      <label>sha256</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokIOCFilter: $tokIOCFilter$</title>
      <event>
        <search>
          <query>index=proxy $tokIOCFilter$ </query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎01-05-2020 10:44 PM

hi Nike,

Thanks for your valueable feedback.

below is my updated code

<form>
   <label>Threat_Intelligance</label>
   <description>Include a multiselect input.</description>
   <!-- Independent search to set the required filter from comma separated value in text box -->
   <!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") -->
   <search>
     <query>| makeresults
 | fields - _time
 | eval iocFilter=$ioc1|s$
 | eval iocFilter="url IN (\"".replace(iocFilter,",","\",\"")."\")"
     </query>
     <done>
       <set token="tokIOCFilter">$result.iocFilter$</set>
     </done>
   </search>
   <fieldset autoRun="true" submitButton="false">
     <input type="text" token="ioc1" searchWhenChanged="true">
       <label>URL</label>
       <default>*</default>
     </input>
     <input type="text" token="domain">
       <label>Domain - email Domain</label>
     </input>
     <input type="text" token="md5">
       <label>md5</label>
     </input>
     <input type="text" token="sha256">
       <label>sha256</label>
     </input>
   </fieldset>
   <row>
     <panel>
       <title>tokIOCFilter: $tokIOCFilter$</title>
       <event>
         <search>
           <query>index=proxy $tokIOCFilter$ </query>
           <earliest>-24h</earliest>
           <latest>now</latest>
         </search>
       </event>
     </panel>
   </row>
 </form>

===============
IT worked as expected... thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-05-2020 11:36 PM

What happens when you run 

  index=proxy url=*
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎01-05-2020 11:38 PM

🙂 it gives me the results

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-06-2020 01:47 AM

What is the value of tokIOCFilter printed in the panel title. Is you issue resolved or are you still facing issue with the solution provided?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎01-06-2020 01:53 AM

It is showing me the value. thanks for your support. I already accept your answer.
can you please support me for below:
In continuation of above, in actual I want to build IOC detection dashboard. where we look for
1- URL
2- Domain names(email address). for the time being we need either sendername or complete sender email id
3- MD5
4- SHA-1|256
5- either external source or Destion IP Address

=================
Now if I want to check 2 OR 3 OR 4 OR fith value. How can I unset previous token value. ?
For 5th Option How can I achieve that if I put public IP in text then the query will check it for both fields (either src OR dest)

I really appreciate your support here.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...