Hello Splunkers,
I am trying to have an interactive dashboard where one dashboard is feeding the another with data for searches.
Dashboard 1:
I set a token in one of my visualizations that redirect to the second dashboard and should pass a "tok_incident" parameter. As suggested in splunk documentation I added "form" as a prefix:
<table depends="$showTableI$">
<search>
<query>| `all_alerts` | fillnull value="unknown" owner, status, status_description, impact, urgency, priority | rename tags as tactic | rename priority as severity | join job_id[search index="demisto" | spath id | spath job_id] | rename id as "ID" | sort - _time | table alert, "ID"</query>
<earliest>$global_time.earliest$</earliest>
<latest>$global_time.latest$</latest>
</search>
<option name="count">3</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="%">
<colorPalette type="list">[#5378AD, #98BF3B, #F0BE1B, #FF8800, #D25B3B]</colorPalette>
<scale type="threshold">15,30,50,75,90</scale>
</format>
<drilldown>
<link target="_blank">/app/app/incident_enrichment?form.tok_incident=$row.ID$</link>
</drilldown>
</table>
Dashboard 2:
The second dashboard includes several searches that should get in the "tok_incident" value.
Also, I set the initial value to "*" as seen below:
<init>
<set token="tok_incident">*</set>
</init>
Search for example:
<panel>
<title>Malicious Files Observed</title>
<viz type="parallel_coordinates_app.parallel_coordinates">
<search>
<query>index="demisto" | spath id | search id="$tok_incident$"| spath "RL.results{}.aliases{}" | rename "RL.results{}.aliases{}" as MaliciousFileName | stats count by MaliciousFileName</query>
<earliest>$global_time.earliest$</earliest>
<latest>$global_time.latest$</latest>
</search>
<option name="drilldown">all</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</viz>
</panel>
The problem:
Although the value passes through the URL I still get all data, as defined in <init> and not the passed value within "tok_incident" token.
any help?
Doron
... View more