Security in Obscurity

Manipulating tokens in Splunk

In a previous thought I covered the different ways in which tokens can be leveraged in Splunk dashboarding, March 2019

Tokens are a great way to engage your dashboard audience by allowing them to provide input on the value of data as well as dynamically filter visualizations. In addition to using tokens to guide the visualization of the data on a dashboard you can manipulate the tokens, set on the dashboard, and change the value associated with them.

Appending a string to a token

Appending a string to a token on a dashboard can be as simple as adding the information after the token in your search query. For example if you have a token that represents the first name of a person, say "Tom," you can add a domain after the token to search for an email address.

at runtime this search will execute as:

Be careful with how you leverage this technique as it can have unintended consequences if you are using a multivalued token.

In our previous example, lets say instead of just having one name for your input token, you were using a multivalued input, with the following names:

Appending the same string of "@securityinobscurity.com" to the token in this scenario, will result in:

instead of what you are expecting:

Creating a new token from an existing token

Copying values from an existing token can be useful on your dashboard for a variety of reasons. The most common one I leverage it for is if I want to work with a modified version of a token in addition to the original token. From your dashboard source you will want to add a section to your <input> heading to work with the original token. The syntax to do this will look like this:

Adding this into the source of your dashboard will allow you in to take the value of the token you want to duplicate and copy it to a new token ($temp_token$).

Modifying the value of a token

To address the shortcoming with multivalued tokens you can address the problem by modifying the token rather than appending a string after the token.

Stripping partial value from a token

Removing part of a value can be useful to search for only that portion of the value. For example if you have an email address and you only want to search for the prefix of the address you can strip the unwanted portion using the Splunk query language. As we did with duplicating a token value, from your dashboard source you will use the <input> heading to work with the token copy we created in the previous section and modify it. The syntax to strip out partial value from the token will look something like this:

Looking at the example we first used <set token> will copy the original token value to a new token ($temp_token$). You then take that $temp_token$ and pass a portion of the value to a new token using the replace function found in <eval token>. This would result in turning Tom@securityinobscurity.com, Dick@securityinobscurity.com, Harry@securityinobscurity.com into Tom, Dick, Harry.

Adding value to a token

Leveraging the replace function you can add value to a token just as we stripped a portion out above. In this example we will take the $stripped_token$ we just created and add back in the domain name to the email addresses.

The results to this would be to turn Tom, Dick, Harry into Tom@securityinobscurity.com, Dick@securityinobscurity.com, Harry@securityinobscurity.com

---

Manipulating tokens can be a very useful trick to leveraging their full potential on a dashboard. By modifying the value represented in a token you have the possible of a single input creating numerous tokens, each with a different value representation. This will not only help you better represent data on your dashboards but also improve the user experience by minimizing the input required by your users while maximizing the value of that input.