Solved: Why is drilldown from a table into another table b...

AbelCruz · ‎02-14-2018

Good morning

I am trying to drilldown from a table into another table based on the click value.
The new form does open but the value is not carried over from the previous table

"
McAfee

<panel>
  <table>
    <title>Host Threat correlation</title>
    <search>
      <query>sourcetype=McAfee_Virus_Threat_xml | rename "EPOEvents_TargetHostName" AS "Host Name" | dedup EPOEvents_ThreatName | rename "EPOEvents_ThreatName" AS "Threat Name" | rename "EPOEvents.ThreatType" AS "Threat Type" | rename "EPO_Events_ThreatHandled" AS "Action Taken" | replace "true" with "Contained" in "Action Taken" | table  "Threat Name" "Threat Type" "Action Taken" | sort by - "Threat Type"</query>
      <earliest>-30d@d</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="count">10</option>
    <drilldown>
      <link>
          /app/search/mcafee_test?
           search sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName=$click_value$ | stats count by EPOEvents_TargetHostName
        </link>
    </drilldown>
  </table>
</panel>

"

493669 · ‎02-14-2018

Hi @AbelCruz,
you need to use $click.value$ instead of $click_value$
so try this:-

<panel>
   <table>
     <title>Host Threat correlation</title>
     <search>
       <query>sourcetype=McAfee_Virus_Threat_xml | rename "EPOEvents_TargetHostName" AS "Host Name" | dedup EPOEvents_ThreatName | rename "EPOEvents_ThreatName" AS "Threat Name" | rename "EPOEvents.ThreatType" AS "Threat Type" | rename "EPO_Events_ThreatHandled" AS "Action Taken" | replace "true" with "Contained" in "Action Taken" | table  "Threat Name" "Threat Type" "Action Taken" | sort by - "Threat Type"</query>
       <earliest>-30d@d</earliest>
       <latest>now</latest>
     </search>
     <option name="wrap">true</option>
     <option name="rowNumbers">true</option>
     <option name="dataOverlayMode">none</option>
     <option name="drilldown">row</option>
     <option name="count">10</option>
     <drilldown>
       <link>
           /app/search/mcafee_test?
            search sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName=$click.value$ | stats count by EPOEvents_TargetHostName
         </link>
     </drilldown>
   </table>
 </panel>

View solution in original post

493669 · ‎02-14-2018

Hi @AbelCruz,
you need to use $click.value$ instead of $click_value$
so try this:-

<panel>
   <table>
     <title>Host Threat correlation</title>
     <search>
       <query>sourcetype=McAfee_Virus_Threat_xml | rename "EPOEvents_TargetHostName" AS "Host Name" | dedup EPOEvents_ThreatName | rename "EPOEvents_ThreatName" AS "Threat Name" | rename "EPOEvents.ThreatType" AS "Threat Type" | rename "EPO_Events_ThreatHandled" AS "Action Taken" | replace "true" with "Contained" in "Action Taken" | table  "Threat Name" "Threat Type" "Action Taken" | sort by - "Threat Type"</query>
       <earliest>-30d@d</earliest>
       <latest>now</latest>
     </search>
     <option name="wrap">true</option>
     <option name="rowNumbers">true</option>
     <option name="dataOverlayMode">none</option>
     <option name="drilldown">row</option>
     <option name="count">10</option>
     <drilldown>
       <link>
           /app/search/mcafee_test?
            search sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName=$click.value$ | stats count by EPOEvents_TargetHostName
         </link>
     </drilldown>
   </table>
 </panel>

AbelCruz · ‎02-14-2018

Thank you for your help.
It does brings the values now but it does all of them. What I am trying to do is to click on a threat name and have Splunk to show in a new form all the affected host by that specific threat. Any suggestions ?

AbelCruz · ‎02-14-2018

When I click on the threat name it shows all the hosts for all the threats not just for the specific threat that was clicked on

This is what I have on the receiving form (maybe this is where the error is?

McAfee test

<panel>
  <chart>
    <title>Hosts</title>
    <search>
      <query>sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName="*" | timechart count by EPOEvents_TargetHostName limit=0</query>
      <earliest>1501560000</earliest>
      <latest>now</latest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">collapsed</option>
    <option name="charting.axisTitleY.visibility">collapsed</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">stacked</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">bottom</option>
  </chart>
</panel>

493669 · ‎02-14-2018

so are you saying $click.value$ becomes "*"?

AbelCruz · ‎02-14-2018

Yes it does

493669 · ‎02-14-2018

try this for testing what value is setting in $click.value$-

<dashboard>
  <label>click test</label>
  <row>
<panel>
    <table>
      <title>Host Threat correlation</title>
      <search>
        <query>sourcetype=McAfee_Virus_Threat_xml | rename "EPOEvents_TargetHostName" AS "Host Name" | dedup EPOEvents_ThreatName | rename "EPOEvents_ThreatName" AS "Threat Name" | rename "EPOEvents.ThreatType" AS "Threat Type" | rename "EPO_Events_ThreatHandled" AS "Action Taken" | replace "true" with "Contained" in "Action Taken" | table  "Threat Name" "Threat Type" "Action Taken" | sort by - "Threat Type"</query>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </search>
      <option name="wrap">true</option>
      <option name="rowNumbers">true</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">row</option>
      <option name="count">10</option>
      <drilldown>
          <set token="count_field">$click.value$</set>
       </drilldown>
    </table>
  </panel>
</row>
  <row>
    <panel>
      <table>
        <title>clicked value=$count_field$</title>
        <search>
          <query>index=_internal| stats count by source</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

AbelCruz · ‎02-14-2018

It does shows the right clicked value underneath the Threat_name table

493669 · ‎02-14-2018

so it is showing expected value right?

AbelCruz · ‎02-14-2018

Yes it does in a line underneath the Threat table. How can I pass it to the target form?

493669 · ‎02-14-2018

try this in drilldown;

<link>
            /app/search/mcafee_test?q= search sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName=$click.value$ | stats count by EPOEvents_TargetHostName
</link>

AbelCruz · ‎02-14-2018

This brings up a table with all the threats and hosts by time. It doesn't group the hosts by the previously selected threat name

AbelCruz · ‎02-14-2018

This is the xml code for the destination form. Does it matter that the EPOEvents_ThreatName is set to "*"?

sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName="*" | timechart count by EPOEvents_TargetHostName limit=0

McAfee test

<panel>
  <chart>
    <title>Infected Host by Threat</title>
    <search>
      <query>sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName="*" | timechart count by EPOEvents_TargetHostName limit=0</query>
      <earliest>0</earliest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
  </chart>
</panel>

493669 · ‎02-14-2018

I found a workaround for this ...but there can be better way to do this...
in McAfee test dashboard: here I have added hidden panel and set a token which will be used in dashboard

<panel depends="$hide$"><input type="text" token="check"><default>*</default></input></panel>
<panel>
   <chart>
     <title>Infected Host by Threat</title>
     <search>
       <query>sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName="$check$" | timechart count by EPOEvents_TargetHostName limit=0</query>
       <earliest>0</earliest>
     </search>
     <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
     <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
     <option name="charting.axisTitleX.visibility">visible</option>
     <option name="charting.axisTitleY.visibility">visible</option>
     <option name="charting.axisTitleY2.visibility">visible</option>
     <option name="charting.axisX.scale">linear</option>
     <option name="charting.axisY.scale">linear</option>
     <option name="charting.axisY2.enabled">0</option>
     <option name="charting.axisY2.scale">inherit</option>
     <option name="charting.chart">column</option>
     <option name="charting.chart.bubbleMaximumSize">50</option>
     <option name="charting.chart.bubbleMinimumSize">10</option>
     <option name="charting.chart.bubbleSizeBy">area</option>
     <option name="charting.chart.nullValueMode">gaps</option>
     <option name="charting.chart.showDataLabels">none</option>
     <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
     <option name="charting.chart.stackMode">default</option>
     <option name="charting.chart.style">shiny</option>
     <option name="charting.drilldown">all</option>
     <option name="charting.layout.splitSeries">0</option>
     <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
     <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
     <option name="charting.legend.placement">right</option>
     <option name="wrap">true</option>
     <option name="rowNumbers">false</option>
     <option name="dataOverlayMode">none</option>
     <option name="count">10</option>
   </chart>
 </panel>

493669 · ‎02-14-2018

and in first dashboard add below drilldown:

 <link>
             /app/search/mcafee_test?form.check=$click.value|n$
 </link>

AbelCruz · ‎02-14-2018

Hi there
Thank you for all your help
Finally got it to work by using this code:

<table>
  <title>Detected Malware</title>
  <search>
    <query>sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName="*" | rename "EPOEvents_ThreatName" AS "Threat Name" | stats count by "Threat Name"</query>
    <earliest>-6mon</earliest>
    <latest>now</latest>
  </search>
  <drilldown>
    <set token="EPOEvents_ThreatNam_tok">$click.value$</set>
  </drilldown>
  <option name="wrap">true</option>
  <option name="rowNumbers">false</option>
  <option name="dataOverlayMode">none</option>
  <option name="drilldown">cell</option>
  <option name="count">10</option>
</table>
<chart depends="$EPOEvents_ThreatNam_tok$">
  <title>Impacted Hosts</title>
  <search>
    <query>sourcetype=McAfee_Virus_Threat_xml EPOEvents_ThreatName="$EPOEvents_ThreatNam_tok$" | rename "EPOEvents_ThreatName" AS "Threat Name", "EPOEvents_TargetHostName" AS "Host Name" | timechart count by "Host Name" limit=0</query>
    <earliest>-6mon</earliest>
    <latest>now</latest>
  </search>
  <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
  <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
  <option name="charting.axisTitleX.visibility">visible</option>
  <option name="charting.axisTitleY.visibility">visible</option>
  <option name="charting.axisTitleY2.visibility">visible</option>
  <option name="charting.axisX.scale">linear</option>
  <option name="charting.axisY.scale">linear</option>
  <option name="charting.axisY2.enabled">0</option>
  <option name="charting.axisY2.scale">inherit</option>
  <option name="charting.chart">column</option>
  <option name="charting.chart.bubbleMaximumSize">50</option>
  <option name="charting.chart.bubbleMinimumSize">10</option>
  <option name="charting.chart.bubbleSizeBy">area</option>
  <option name="charting.chart.nullValueMode">gaps</option>
  <option name="charting.chart.showDataLabels">none</option>
  <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
  <option name="charting.chart.stackMode">stacked</option>
  <option name="charting.chart.style">shiny</option>
  <option name="charting.drilldown">all</option>
  <option name="charting.layout.splitSeries">0</option>
  <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
  <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
  <option name="charting.legend.placement">bottom</option>
</chart>

Again thank you for taking the time to help me out.

493669 · ‎02-14-2018

so now $click.value$ is displayed as expected in new dashboard?

493669 · ‎02-14-2018

What all values have come? also try $click.value2$ instead of $click.value$
I just tried run anywhere search and it works as expected.

<dashboard>
   <label>click test</label>
   <row>
     <panel>
       <table>
         <title>search</title>
         <search>
           <query>index=_internal | stats count by sourcetype source</query>
           <earliest>-15m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="wrap">true</option>
         <option name="rowNumbers">true</option>
         <option name="drilldown">row</option>
         <drilldown target="_blank">
             <link>
                   <![CDATA[
                 /app/search/search?q=search%20index=_internal%20sourcetype=$click.value$
                  ]]>
               </link>
         </drilldown>
       </table>
     </panel>
   </row>
 </dashboard>

493669 · ‎02-14-2018

$click.value$ ----> leftmost column value in clicked row
$click.value2$ ----> clicked field(column) value

Why is drilldown from a table into another table based on the click value, does not carry the value over from the previous table?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk