Dashboards & Visualizations

Need help editing custom drilldown time range of events

jcorkey
Explorer

Below is my drilldown code:

<drilldown>
  <condition field="Switched to different user account">
    <set token="user">$click.value$</set>
    <link target="_blank">search?q=index="*" host="*" sourcetype="*" "su:" "session opened for user" | rex "by (%3F&lt;SU&gt;[^(]%2b)" | search SU="$user$" | table _time, SU, user | rename SU as "User", user as "Switched to user"&amp;earliest=-168h@h&amp;latest=now</link>
  </condition>
  <condition field="Added new user to group">
    <set token="user">$click.value$</set>
    <link target="_blank">search?q=index="*" host="*" sourcetype="*" user=$user$ "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Added to group", grp as "group"&amp;earliest=-168h@h&amp;latest=now</link>
  </condition>
  <condition field="Created new user">
    <set token="user">$click.value$</set>
    <link target="_blank">search?q=index="*" host="*" sourcetype="*" user=$user$ useradd  "type=ADD_GROUP" | table _time, user, acct | rename acct as "Created user"&amp;earliest=-168h@h&amp;latest=now</link>
  </condition>
  <condition field="Executed sudo command">
    <set token="user">$click.value$</set>
    <link target="_blank">search?q=index=* sourcetype=* type="USER_CMD" host=* user=$user$ (action=success OR action=failure OR action=unknown) * | table _time host user cwd command action&amp;earliest=-168h@h&amp;latest=now</link>
  </condition>
  <condition>
    <!-- Optional No Drilldown from other columns-->
  </condition>
</drilldown>

Right now you can see that the time range on this code it &amp;earliest=-168h@h&amp;latest=now AKA the last 7 days.
But how do I make this time range based on whatever the time range is set to on the visualization chart before an item is click and this drilldown code is executed? I don't want a set time range hard coded into the drilldown code like it is here, I want it to be whatever it is set to on the panel where my visualization chart is.

How do I accomplish this?

0 Karma

niketn
Legend

In order to have earliest and latest time tokens available from the selected row, you would need to make sure they are present in your table's transforming command as well.

| stats min(_time) as earliestTime max(_time) as latestTime ....

Then you can use <fields> simpleXML tag for the <table> to display only the required fields (i.e. hide the epoch time fields from display) and yet be able to use them as tokens

<fields>user, "Switched to different user account","Added new user to group","Created new user"</fields>

Finally in your <drilldown> event handler, use tokens $row.earliestTime$ and $row.latestTime$. For example one of the query is modified as below:

<link target="_blank">search?q=index=* sourcetype=* type="USER_CMD" host=* user=$user$ (action=success OR action=failure OR action=unknown) * | table _time host user cwd command action&amp;earliest=$row.earliestTime$&amp;latest=$row.latestTime$</link>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...