Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change destination search clicking on a pie report

pinzer
Path Finder
‎10-20-2010 10:16 AM

Hi all, i need to change the destination of a report when clicking on the pie slice of a pie report.

the query that i'm using to create the pie is this:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"| eval IP=case(sourcetype=="webseal_access", IP_Source, sourcetype=="wmi:wineventlog:security", Source_Network_Address) | search [search eventtype="searchIPS2" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP] | stats count by IP | sort count desc

It show a pie divided by IP with the count for each IP. clicking on the slice of the pie it show the same query in another window with added IP="1.2.3.4". I need to insert automatically "| where " in this query before the IP="1.2.3.4"

Thanks to all who can help me

0 Karma
Reply

meenal901
Communicator
‎08-11-2015 03:39 AM

Hi,

You can use drilldown tag to link to another page and use a new query. Here is an example for _internal logs, you can modify for your data:

Dashboard-1: Pie chart:

pie

<panel>
  <chart>
    <searchString>index=_internal | stats count by sourcetype</searchString>
    <earliestTime>-4h@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
    <drilldown target="My new window">

      <link>pie_drilldown?sourcetype=$click.value$</link>
    </drilldown> 
  </chart>
</panel>

Dashboard-2: Drilldown

$sourcetype$
pie_drilldown

<panel>

  <table>
    <title>Showing results for $sourcetype$ </title>  
    <searchString>index=_internal |search sourcetype=$sourcetype$| stats count by source,host</searchString>
    <earliestTime>-4h@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...