Hello,
I'm trying to make a dashboard input to use multiple values as input. I don't know how to make the query work properly. I am using eval to expand the values, but how to I use a token and implement it into my search?
Here is the query I have now:
-snip-
This doesn't work, by the way.
Does anyone know how to achieve my goal?
Thanks in advance!
Load the values into a lookup table. Use a multi-select input to load the lookup and format each value into a token. Add the token to a panel.
Take a look at the format
command.
If you have a search that produces field/value pairs that you are looking for... for example
your search that produces events
| table field1 field2
that produces this
field1 field2
value1a value1b
value2a value2b
... and so on
Then if you send that data to | format
, it comes out like this
( ( field1="value1a" AND field2="value1b" ) OR ( field1="value2a" AND field2="value2b" ) OR ... )
The format
command is implicitly executed at the end of a subsearch, and passes the return value of the subsearch back outside the subsearch to allow you to create a complex search command.
I need to search in one field, par example called "CVE", the user input into the dashboard would look like this:
2015-1212 OR 2015-2121 OR 2015-1122
I want them to be able to search for multiple CVE entries. Multi-select in dashboard form does not work.
Would format work for this?
You are defining tokens as text inputs? you can define multi-valued input instead of text box. Define delimeter for your multivalued input if any , make use of IN operation is your search query to compare field with the multi-valued token.
From where are you currently getting the token values? May be a detailed example would help.
HI, using multi-value doesn't work. It will say "Populating Fields" and then give an error that it can't populate. I've tried all different combinations and nothing is working
Can you give some sample data?
Also more details on what input is being used (simple xml code) and sample data for the input. What are the tokens $qid_text$ and $ref$? What is CVE field (if is is from lookup file what are some of the sample values).
Can you give sample data from stats to be displayed as your final output? You can mock /anonymize any sensitive information.
Sure.
CVE = 2015_1234
ID = 198877
Ref: AAA-1122-1
No, sorry, it's confidential. It has to do with virus signatures.
when you are doing | search QID=$qid_text$ CVE=($cve_id$) REFERENCE=$ref$
all three fields are present in every event?
Yes. Examples are:
CVE = 2015_1234
ID = 198877
Ref: AAA-1122-1