- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there an easy way to create a drilldown for an ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there an easy way to create a drilldown for an area chart?
I have a dashboard panel that shows the sum of outbound data where I want to click on a value and display the raw events making up that data point.
The search is:
| tstats allow_old_summaries=t sum(All_Traffic.bytes_out) AS sumSent FROM datamodel="Network_Traffic" WHERE nodename="All_Traffic",("All_Traffic.app:subcategory"="file-sharing" OR "All_Traffic.app:subcategory"="database"),(All_Traffic.action="allow" OR All_Traffic.action="alert"),(All_Traffic.dest_zone="outbound"),(dest_ip!=10.0.0.0/8 OR dest_ip!=172.16.0.0/12 OR dest_ip!=192.168.0.0/16 OR dest_ip!=169.254.0.0/16) groupby _time All_Traffic.app span=10m | eval megabytes=round(((sumSent/1024)/1024),0) | timechart span=10m values(megabytes) AS MB by All_Traffic.app
Is there anything that will convert that to a Simple XML search string?
ex. Adding
<drilldown target="_blank">
<link>
<![CDATA[
/app/SplunkEnterpriseSecuritySuite/search?q=search%20$click.value2$
]]>
</link>
</drilldown>
opens a new search, but currently only passes the average of that data point on the graph. I don't understand the syntax to convert my tstats search into XML. It seems like there should be a better way to do this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest that you build a form as a custom target for your drilldown. Within the target form, you can write any search that you want - and plug in the click values from this dashboard panel. In your first dashboard, you reference the target form like this:
<link>
<![CDATA[
/app/search/yourCustomForm?form.time_token=$click.value$&form.appName=$click.name2$
]]>
</link>
Then in "yourCustomForm" you would use the time_token and the appName to actually retrieve the list of events - or whatever it is that you want to show when someone clicks. But at least this passes on the time and series that was clicked...
There is a section on Dynamic drilldown in dashboards and forms in the Dashboards and Visualizations manual. This is also where you can find the list of drilldown event tokens.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First thing that I observe is you're using $click.value2$ token which gives just the clicked value, not a fieldname or anything, your drilldown will not work. Even if you pass correct drilldown token (see this for full list) Since, your chart is generated from Data Model, it will not automatically show raw events on click. You would have to pass the search that you want to execute on drilldown and pass the filter value/field names from the chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it would be as simple as adding
<link>
<![CDATA[
/app/SplunkEnterpriseSecuritySuite/search?q=| datamodel Network_Traffic Allowed_Traffic search | search (All_Traffic.dest_zone="outbound") AND ("All_Traffic.app:subcategory"="file-sharing" OR "All_Traffic.app:subcategory"="database") AND NOT (All_Traffic.dest_ip=10.0.0.0/8 OR All_Traffic.dest_ip=172.16.0.0/12 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip=169.254.0.0/16)
]]>
</link>
</drilldown>
and then also passing the earliest/latest time parameter?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
