Dashboards & Visualizations

Tokens not propagating values

riqbal47010
Path Finder

I have multiple Input text boxes with comma separated input text values.

below is my requirement.

Box1 have domain names e.g. (www.abc.com, www.xyz.com)
Box2 have multiple MD5 hashes ( 'sdfsdfsdfsdf6546545645646','6564654654564654654564sd')
Now I want that If i put comma seperated input to Box1 test box, it should open a search panel and show me the results.
and If copy MD5 comma seperated hashes to Box2 text box, then the panel1 should show me the results from Box2.
and IF THERE IS NO INPUT AT ALL IN BOTH INPUTS BOXES THEN THE SEARCH PANEL ALSO SHOULD DISAPPEAR AND NO SEARCH SHOULD RUN IN BACKGROUND

<form>
  <label>Threat_Intelligance</label>
  <description>Include a multiselect input.</description>
  <!-- Independent search to set the required filter from comma separated value in text box -->
  <!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") -->
  <search>
    <query>| makeresults
   | fields - _time
   | eval iocFilter=$ioc1|s$
   | eval md5Filter=$md5|s$
   | eval iocFilter="url IN (\"".replace(iocFilter,",","\",\"")."\")"
   | eval md5Filter="process_md5 IN (\"".replace(md5Filter,",","\",\"")."\")"
       </query>
    <done>
      <set token="tokIOCFilter">$result.iocFilter$</set>
      <set token="tokmd5Filter">$result.md5Filter$</set>
    </done>
  </search>
  <fieldset autoRun="true" submitButton="true">
    <input type="text" token="ioc1" searchWhenChanged="true">
      <label>URL</label>
      <change>
        <condition>
          <set token="tokIOCFilter">$result.iocFilter$</set>
        </condition>
      </change>
    </input>
    <input type="text" token="md5">
      <label>md5</label>
      <change>
        <condition>
          <set token="tokmd5Filter">$result.md5Filter$</set>
        </condition>
      </change>
    </input>
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=proxy OR index=edr ($tokIOCFilter$  OR $tokmd5Filter$)</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>
0 Karma

woodcock
Esteemed Legend

You are doing waaaaaaaaaaaaaay too much work. First of all, I think your modification from OR to IN is silly, and that was the beginning of all of your problems. But presuming that you have some need for this, I have made that work (again, without that, your dashboard would have been brain-dead simple and worked the on the first try):

<form>
  <label>Threat_Intelligance</label>
  <description>Include a multiselect input.</description>
   <fieldset autoRun="true" submitButton="true">
    <input type="text" token="ioc1">
      <label>URL</label>
      <change>
        <condition match="len($value$)==0">
          <unset token="ioc1"></unset>
        </condition>
        <condition>
          <eval token="ioc1">&quot;url IN (\&quot;&quot; . replace($value$, &quot;,&quot;, &quot;\&quot;, \&quot;&quot;) . &quot;\&quot;)&quot;</eval>
        </condition>
      </change>
    </input>
    <input type="text" token="md5">
      <label>md5</label>
      <change>
        <condition match="len($value$)==0">
          <unset token="md5"></unset>
        </condition>
        <condition>
          <eval token="md5">&quot;process_md5 IN (\&quot;&quot; . replace($value$, &quot;,&quot;, &quot;\&quot;, \&quot;&quot;) . &quot;\&quot;)&quot;</eval>
        </condition>
      </change>
    </input>
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row depends="$ioc1$ $md5$">
    <panel>
      <title>ioc1="$ioc1$", md5="$md5$"</title>
      <event>
        <search>
          <query>index=proxy OR index=edr ($ioc1$  OR $md5$)</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

Personally, I would ditch the Submit button and set everything else to searchWhenChanged=true.

riqbal47010
Path Finder

hi wood,

that's an interesting approach,
I found that when I give input in bot text boxes then results appear, whereas I need one input at one time.
i believe below parameters are causing this.

   <row depends="$ioc1$ $md5$">

HOW CAN WE FIX THIS.

0 Karma

niketn
Legend

@riqbal47010 Can you try the following steps one by one
1. Add searchWhenChanged="true" to md5 text box.
2. Remove Submit Button i.e. submitButton="false"

If the token behavior is still not as expected please let us know which scenario does not work (expected behavior vs actual behavior).

Also refer to one of my older answers to understand Default and Submitted token models in Splunk: https://answers.splunk.com/answers/742451/searchwhenchangedfalse-not-honored-1.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

riqbal47010
Path Finder

This works at last.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...