Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help editing custom drilldown time range of events

jcorkey
Explorer
‎08-04-2017 10:13 AM

Below is my drilldown code:

<drilldown>
  <condition field="Switched to different user account">
    <set token="user">$click.value$</set>
    <link target="_blank">search?q=index="*" host="*" sourcetype="*" "su:" "session opened for user" | rex "by (%3F&lt;SU&gt;[^(]%2b)" | search SU="$user$" | table _time, SU, user | rename SU as "User", user as "Switched to user"&amp;earliest=-168h@h&amp;latest=now</link>
  </condition>
  <condition field="Added new user to group">
    <set token="user">$click.value$</set>
    <link target="_blank">search?q=index="*" host="*" sourcetype="*" user=$user$ "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Added to group", grp as "group"&amp;earliest=-168h@h&amp;latest=now</link>
  </condition>
  <condition field="Created new user">
    <set token="user">$click.value$</set>
    <link target="_blank">search?q=index="*" host="*" sourcetype="*" user=$user$ useradd  "type=ADD_GROUP" | table _time, user, acct | rename acct as "Created user"&amp;earliest=-168h@h&amp;latest=now</link>
  </condition>
  <condition field="Executed sudo command">
    <set token="user">$click.value$</set>
    <link target="_blank">search?q=index=* sourcetype=* type="USER_CMD" host=* user=$user$ (action=success OR action=failure OR action=unknown) * | table _time host user cwd command action&amp;earliest=-168h@h&amp;latest=now</link>
  </condition>
  <condition>
    <!-- Optional No Drilldown from other columns-->
  </condition>
</drilldown>

Right now you can see that the time range on this code it &amp;earliest=-168h@h&amp;latest=now AKA the last 7 days.
But how do I make this time range based on whatever the time range is set to on the visualization chart before an item is click and this drilldown code is executed? I don't want a set time range hard coded into the drilldown code like it is here, I want it to be whatever it is set to on the panel where my visualization chart is.

How do I accomplish this?

0 Karma
Reply

niketn
Legend
‎08-04-2017 11:29 AM

In order to have earliest and latest time tokens available from the selected row, you would need to make sure they are present in your table's transforming command as well. 

| stats min(_time) as earliestTime max(_time) as latestTime ....

Then you can use <fields> simpleXML tag for the <table> to display only the required fields (i.e. hide the epoch time fields from display) and yet be able to use them as tokens

<fields>user, "Switched to different user account","Added new user to group","Created new user"</fields>

Finally in your <drilldown> event handler, use tokens $row.earliestTime$ and $row.latestTime$. For example one of the query is modified as below:

<link target="_blank">search?q=index=* sourcetype=* type="USER_CMD" host=* user=$user$ (action=success OR action=failure OR action=unknown) * | table _time host user cwd command action&amp;earliest=$row.earliestTime$&amp;latest=$row.latestTime$</link>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...