A statistics table within my dashboard counts the total number of hosts who have a hostname (Named) and total number of blanks (Blank).
I enabled the drill-down and when you click on either value, it just opens the existing query that shows all hosts, those with and without hostnames. I want to set it so that if the user clicks on the values under Named or Blank, then it only searches for those. I'm trying to do it via tokens, but I'm not sure how to pass the column name (Named or Blank) to append to the custom drilldown query | search $clicked_column$
sample data
host hostname
1.1.1.1 host-1.com
2.2.2.2
3.3.3.3 host-3.com
4.4.4.4 host-4.com
5.5.5.5
SPL
| tstats count where index=network by host
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| stats count(eval(isnull(hostname))) AS Blank count(eval(isnotnull(hostname))) AS Named
output
Named Blank
3 2
desired click on 3 (Named column)
host hostname
1.1.1.1 host-1.com
3.3.3.3 host-3.com
4.4.4.4 host-4.com
desired click on 2 (Blank column)
host hostname
2.2.2.2
5.5.5.5
Hello again @DEAD_BEEF!
I would change the statistics table to the following:
| tstats count where index=network by host
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eval Type=if(isnull(hostname),"Blank","Named")
| stats count by Type
The statistics table will now look as follows:
Type count
Blank 2
Named 3
Then you add a drilldown (Link to search) as follows:
| tstats count where index=network by host
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eval Type=if(isnull(hostname),"Blank","Named")
| search Type="$click.value$"
| table host,hostname,Type
Check out this page: Predefined drilldown tokens
EDIT: Instead of displaying a statistics table, you could use two single-value panels: One for Blank and one for Named. I think that makes the dashboard more visually appealing. Also add a drilldown to each single-value panel.
Hello again @DEAD_BEEF!
I would change the statistics table to the following:
| tstats count where index=network by host
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eval Type=if(isnull(hostname),"Blank","Named")
| stats count by Type
The statistics table will now look as follows:
Type count
Blank 2
Named 3
Then you add a drilldown (Link to search) as follows:
| tstats count where index=network by host
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eval Type=if(isnull(hostname),"Blank","Named")
| search Type="$click.value$"
| table host,hostname,Type
Check out this page: Predefined drilldown tokens
EDIT: Instead of displaying a statistics table, you could use two single-value panels: One for Blank and one for Named. I think that makes the dashboard more visually appealing. Also add a drilldown to each single-value panel.
Hey @whrg! I like the idea of using two single-value panels. I'll try messing around with that and see if I can get it to work. The big thing is the existing layout of panels on the dashboard.
Currently there are 4 panels in 1 row across my dashboard (the named/blank) being #2.
[1] [2] [3] [4]
If I can break up the named/blank into two single values BUT display them such that they take up the same spaces "stacked vertically" as [2] then it would be perfect, visually nicer, and make the drilldown simpler.
I'll try a bit and post back.
Alright, so two single-value panels wouldn't stack vertically (at least not by default, maybe doable in XML?). So, what I did was take your query and then trellis by Type and that made two single-values on one panel. Looks much better than the plain table and the click for each one is working as intended. Good thinking! Thanks again for all the help.
Your XML should look similar to this:
[panel][single]...[/single][/panel][panel][single]...[/single][/panel]
Remove [/panel][panel] between the two single sections.
It worked and looks better than the trellis! Thank you so much for all the assistance.