Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change destination search clicking on a pie report

pinzer
Path Finder
‎10-20-2010 10:16 AM

Hi all, i need to change the destination of a report when clicking on the pie slice of a pie report.

the query that i'm using to create the pie is this:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"| eval IP=case(sourcetype=="webseal_access", IP_Source, sourcetype=="wmi:wineventlog:security", Source_Network_Address) | search [search eventtype="searchIPS2" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP] | stats count by IP | sort count desc

It show a pie divided by IP with the count for each IP. clicking on the slice of the pie it show the same query in another window with added IP="1.2.3.4". I need to insert automatically "| where " in this query before the IP="1.2.3.4"

Thanks to all who can help me

0 Karma
Reply

meenal901
Communicator
‎08-11-2015 03:39 AM

Hi,

You can use drilldown tag to link to another page and use a new query. Here is an example for _internal logs, you can modify for your data:

Dashboard-1: Pie chart:

pie

<panel>
  <chart>
    <searchString>index=_internal | stats count by sourcetype</searchString>
    <earliestTime>-4h@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
    <drilldown target="My new window">

      <link>pie_drilldown?sourcetype=$click.value$</link>
    </drilldown> 
  </chart>
</panel>

Dashboard-2: Drilldown

$sourcetype$
pie_drilldown

<panel>

  <table>
    <title>Showing results for $sourcetype$ </title>  
    <searchString>index=_internal |search sourcetype=$sourcetype$| stats count by source,host</searchString>
    <earliestTime>-4h@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...