- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Need help adding token to my custom drilldown
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is my search on my dashboard:
| multisearch [search index=* host=* sourcetype="*" user="*" "type=ADD_USER" | eval rectype1="Created new user"] [search index=* host=* sourcetype="*" "usermod" AND "type=USER_MGMT" | eval rectype2="Added new user to group"] [search host="*" index="secure_logs" sourcetype=linux_secure "su:" "session opened for user" | eval Date=strftime(_time, "%Y/%m/%d") | rex "by (?<user>[^(]+)" | rex "^[^\)\n]*\):\s+\w+\s+\w+\s+\w+\s+\w+\s+(?P<userOfInterest>\w+)" | eval rectype3= "Switched to different user account"] | stats dc(rectype3) as "Switched to different user account" , dc(rectype2) as "Added new user to group", dc(rectype1) as "Created new user" by user
Below is my drilldown:
<drilldown>
<condition field="Switched to different user account">
<set token="user">$click.value2$</set>
<link target="_blank">search?q=host="*" index="*" user=$user$ sourcetype=linux_secure "su:" "session opened for user" | rex "by (%3F<user>[^(]%2b)" | rex "^[^\)\n]*\):\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b(%3FP<userOfInterest>\w%2b)" | table _time, userOfInterest, user | rename userOfInterest as "User", user as "Switched to user"&earliest=-4h@h&latest=now</link>
</condition>
<condition field="Added new user to group">
<set token="user">$click.value2$</set>
<link target="_blank">search?q=index=* host=* sourcetype="*" user=$user$ "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Newly created user", grp as "Added to group"&earliest=-4h@h&latest=now</link>
</condition>
<condition field="Created new user">
<set token="user">$click.value2$</set>
<link target="_blank">search?q=index=* host=* sourcetype="*" user=$user$ useradd "type=ADD_USER" | rex "^[^=\n]*=(%3FP<userOfInterest>\w )" | table user, id | rename id as "Added user's id"&earliest=-4h@h&latest=now</link>
</condition>
<condition>
<!-- Optional No Drilldown from other columns-->
</condition>
</drilldown>
Right now the <set token="user">$click.value2$</set> in my drilldown grabs the values of the rectype in my search on click. I really need it to grab the value of the user which is how the stats chart is been listed "by user" at the end of my search string. I want to have the value instead of the rectype values that is gets when I click.
How can I accomplish this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try $row.user$ instead of $click.value2$ this should give you user for any value clicked on in the row.
http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/PanelreferenceforSimplifiedXML#event_2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try $row.user$ instead of $click.value2$ this should give you user for any value clicked on in the row.
http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/PanelreferenceforSimplifiedXML#event_2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the answer...Just had to use click.value instead of click.value2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't forget to upvote any helpful answers and either submit your own to Accept or Accept the one that really contained the heart of the answer, so that the question is closed.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
