I have 2 views that I want to call from a drilldown based on roles. So, if they are a user, then one view would open, and if another user is an Administrator, they would see another view. Any ideas?
Thanks!
David
Regardless of Splunk version, you could do something like this:
<table>
<search>
<query>index=_internal | stats count by sourcetype | appendcols [rest splunk_server=local /services/authentication/current-context | eval dashboard = if(isnotnull(mvfilter(match(roles, "^admin$"))), "adminview", "userview") | table dashboard] | eventstats values(dashboard) as dashboard | rename dashboard as _dashboard</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<drilldown>
<link>/app/search/$row._dashboard$</link>
</drilldown>
</table>
That will open the view adminview
or userview
depending on if the user has the admin
role or not.
Give this a try (un tested)
You should be able to get the current user's role and set the dashboard name to show using this query.
<search id="search_logic">
<query>| rest /services/authentication/current-context splunk_server=local | table roles | eval role=mvindex(roles,0) | eval dashboard=if(role="admin","dashboard1","dashboard2") </query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<finalized>
<condition>
<set token="dashboard">$result.dashboard$</set>
</condition>
</finalized>
</search>
Then in your visualization's drilldown, you can open the dashboard like this
<chart>
<searchString>
your query here
</searchString>
<option name="charting.chart">column</option>
<drilldown>
<link>
$dashboard$
</link>
</drilldown>
</chart>
What version of Splunk are you using?
Currently using 6.3 and considering moving to 6.4...