Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change destination search clicking on a pie report

pinzer
Path Finder
‎10-20-2010 10:16 AM

Hi all, i need to change the destination of a report when clicking on the pie slice of a pie report.

the query that i'm using to create the pie is this:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"| eval IP=case(sourcetype=="webseal_access", IP_Source, sourcetype=="wmi:wineventlog:security", Source_Network_Address) | search [search eventtype="searchIPS2" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP] | stats count by IP | sort count desc

It show a pie divided by IP with the count for each IP. clicking on the slice of the pie it show the same query in another window with added IP="1.2.3.4". I need to insert automatically "| where " in this query before the IP="1.2.3.4"

Thanks to all who can help me

0 Karma
Reply

meenal901
Communicator
‎08-11-2015 03:39 AM

Hi,

You can use drilldown tag to link to another page and use a new query. Here is an example for _internal logs, you can modify for your data:

Dashboard-1: Pie chart:

pie

<panel>
  <chart>
    <searchString>index=_internal | stats count by sourcetype</searchString>
    <earliestTime>-4h@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
    <drilldown target="My new window">

      <link>pie_drilldown?sourcetype=$click.value$</link>
    </drilldown> 
  </chart>
</panel>

Dashboard-2: Drilldown

$sourcetype$
pie_drilldown

<panel>

  <table>
    <title>Showing results for $sourcetype$ </title>  
    <searchString>index=_internal |search sourcetype=$sourcetype$| stats count by source,host</searchString>
    <earliestTime>-4h@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...