Re: How to create a drilldown

jsuryaprakash · ‎09-04-2019

Hello everyone,
I am trying to create a simple hiding drill down panel.
With below search:

index=_internal |stats dc(user) as uniqueusers by sourcetype host

Which gives below table:

sourcetype host uniqueusers
aaaa ccc 4
bbbbb ddddd 2

When a user clicks on uniquesusers value for example 4 it should show a new panel below with list of 4 uniqueuser names.

mayurr98 · ‎09-04-2019

Try this :

<dashboard>
  <label>test</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_*|stats dc(user) as user  by sourcetype host source</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <set token="show_panel">true</set>
          <set token="user">$click.value2$</set>
          <set token="source">$row.source$</set>
          <set token="host">$row.host$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$user$">
      <table>
        <search>
          <query>index=_* |stats values(user) as user dc(user) as user_count  by sourcetype host source | search user_count=$user$ source="$source$" host=$host$ | mvexpand user</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

jsuryaprakash · ‎09-04-2019

It’s only working for the first value of the user column.
For other values in that column it’s showing no data. Can you please look into it.

mayurr98 · ‎09-05-2019

It's working for me for each value of the user column. create a new dashboard and copy-paste entire XML.

jsuryaprakash · ‎09-04-2019

below is the query i achieved so far. i am unable to parse the token value

DrillDown

<panel>
  <table>
    <search>
      <query>index=_*|stats dc(user) as user  by sourcetype host source</query>
      <earliest>-15m</earliest>
      <latest>now</latest>
    </search>
    <drilldown>
      <set token="show_panel">true</set>
      <set token="selected_value">$click.value2$</set>
    </drilldown>
  </table>
</panel>


<panel depends="$selected_value$">
  <table>
    <search>
      <query>index=_* |stats values(user) as user  by sourcetype host source | mvexpand user| search user=$selected_value$ </query>
      <earliest>-15m</earliest>
      <latest>now</latest>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>

jsuryaprakash · ‎09-04-2019

when i click on user count for example its taking user=4 . I want the value values instead of number.

How to create a drilldown

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...