- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Drilldown chart - How to rename $click.value2$ b...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drilldown chart - How to rename $click.value2$ based on the conditions
For the below query when I click on the graph, it should drill down based on the severity condition.
if $click.value2$ is CRITICAL(Ambari) then i want to rename the filed as CRITICAL
if $click.value2$ is MAJOR(Ambari) then i want to rename the filed as MAJOR
if $click.value2$ is MINOR(Ambari) then i want to rename the filed as MINOR
if $click.value2$ is CRITICAL(infra) then i want to rename the filed as CRITICAL
if $click.value2$ is MAJOR(infra) then i want to rename the filed as MAJOR
if $click.value2$ is MINOR(infra) then i want to rename the filed as MINOR
so the SEVERITY will be updated as CRITICAL or MINOR or MAJOR
DRILLDOWN QUERY:
index=alrsm sourcetype=source APPLICATION=Hadoop OR APPLICATION=Unix MANAGER_NAME=prdehdp*
SEVERITY=CRITICAL
| eval SEV=case(APPLICATION="Hadoop" AND SEVERITY="CRITICAL", "CRITICAL(Ambari)",
APPLICATION="Hadoop" AND SEVERITY="MINOR", "MINOR(Ambari)",
APPLICATION="Hadoop" AND SEVERITY="MAJOR", "MAJOR(Ambari)",
APPLICATION="Unix" AND SEVERITY="CRITICAL", "CRITICAL(Infra)",
APPLICATION="Unix" AND SEVERITY="MINOR", "MINOR(Infra)",
APPLICATION="Unix" AND SEVERITY="MAJOR", "MAJOR(Infra)")
|rename NETWORKELEMENTCODE as SERVER_NAME, AMONAME as SHORT_DESCRIPTION, SEV as SEVERITY | stats COUNT by SERVER_NAME SHORT_DESCRIPTION DESCRIPTION SEVERITY
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There might be a more complex answer that works too, but have you considered just splitting severity and classification into two things? Severity = MINOR, Classification = AMBARI? Then, when you click it, you don't have to worry about this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we rename the $click.value2$ based on the condition of the clicked value ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
If possible, can you post your xml code?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
