Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way I can hardcode a search to 2 drilldown values?

muralianup
Communicator
‎08-24-2015 08:37 AM

Is there a way I can hardcode a search to 2 drilldown values? Basically this is what I am trying to achieve: Drilldown with 2 options -> Network traffic from A to B &, from B to A. I have for the time created 2 panes which display 2 panels (with network traffic both directions). But I am trying to come up with a single panel which, upon selecting the traffic direction from the drilldown, displays only that information.

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎09-03-2015 08:20 AM

Try something like this (this is a sample dashboard that can run on any splunk instance, update the searches/labels as per yours)

<form>
  <label>Dynamic Direction</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host</label>
      <search>
        <query>| metadata type=hosts index=* | table host</query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
    <input type="dropdown" token="direction" searchWhenChanged="true">
      <label>Direction</label>
      <choice value="src_interface=&quot;A*&quot;">A to B</choice>
      <choice value="dest_interface=&quot;A*&quot;">B to A</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>$direction$</title>
        <search>
          <query>index=_internal | stats count by sourcetype | eval src_interface=if(like(sourcetype,"s%"),"A*","B*")| eval dest_interface=if(like(sourcetype,"s%"),"B*","A*")| search $direction$</query>
          <earliest>-4h@m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

somesoni2
Revered Legend
‎08-24-2015 05:22 PM

What is your current query?

0 Karma
Reply

muralianup
Communicator
‎09-03-2015 06:35 AM

I'll give the part of query and what I am trying to achieve:

Query 1: index=firewall host=$value$ | search action!="success" AND src_interface="A*"
Query 2: index=ffirewall host=$value$ | search action!="success" AND dest_interface="A*"

I have 2 drilldown boxes. One which selects the host using $value$ variable. That's working fine.
The next drill down I got to select the traffic direction (query1-> src_interface, query 2-> dest_interface).

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...