All Apps and Add-ons

Three charts to the same panel

t_laios
Engager

Hello, I am new to the forum, please forgive me for that if I make a mistake.
I made the following code and I want the drilldown to show me a table each time you select a field from the pie charts.

I tried this example but did not work.

http://splunk-base.splunk.com/answers/56050/eventsviewer-drilldowns-from-2-charts-update-the-same-pa...

CODE

<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="search">`networkindex` type=ips  | top limit=10 attack_name</param>
    <module name="HiddenChartFormatter">
      <param name="charting.chart">pie</param>
      <module name="JobProgressIndicator"/>

      <!-- here's the FlashChart that we'll click on -->
      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">180px</param>
        <param name="enableResize">False</param>

        <!-- we swap out the search to be a timechart.  -->
        <module name="HiddenSearch">
          <param name="search">`networkindex` type=ips | fields _time attack_name src_ip dest_ip src_port dest_port dest_app | fields - _raw </param>
          <!-- this module will grab the value we clicked on and put it in as a searchterm,   series="someSourcetype".   -->
          <module name="ConvertToIntention" layoutPanel="panel_row4_col1">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="attack_name">$click.value$</param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>
            </param>

            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>
               <module name="Pager">
                       <param name="count">10</param>
                 <module name="SimpleResultsTable">
                        <param name="drilldown">row</param>
            </module>
          </module>
        </module>
    </module>
        </module>
      </module>
    </module>

    <module name="HiddenSearch" layoutPanel="panel_row1_col2" group="Top 10 Users" autoRun="True">
    <param name="search">`networkindex` type=ips user!=n/a | top limit=10 user | fields user, count</param> 
    <param name="groupLabel">Top 10 Users</param>

    <module name="ViewstateAdapter">
    <module name="HiddenFieldPicker">
        <param name="strictMode">True</param>
        <module name="JobProgressIndicator">
        <module name="EnablePreview">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="HiddenChartFormatter">
                <param name="charting.chart">bar</param>
                <module name="FlashChart">
                    <param name="width">100%</param>
                        <param name="enableResize">true</param>

                                <module name="HiddenSearch">
          <param name="search">`networkindex` type=ips user!=n/a | fields _time user src_ip dest_ip src_port dest_port dest_app | fields - _raw </param>

          <!-- this module will grab the value we clicked on and put it in as a searchterm,   series="someSourcetype".   -->
          <module name="ConvertToIntention" layoutPanel="panel_row4_col1">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="user">$click.value$</param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>
            </param>

            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>
               <module name="Pager">
                       <param name="count">10</param>
                 <module name="SimpleResultsTable">
                        <param name="drilldown">row</param>
            </module>
          </module>
        </module>
    </module>
        </module>
      </module>
    </module>

                            </module>
                        </module>   
                </module>
            </module>

        </module>

    <module name="HiddenSearch" layoutPanel="panel_row3_col1" group="Service" autoRun="True">
    <param name="search">`networkindex` type=ips | table dest_app | chart count(dest_app) over dest_app </param>    
    <param name="groupLabel">Service</param>

    <module name="ViewstateAdapter">
    <module name="HiddenFieldPicker">
        <param name="strictMode">True</param>
        <module name="JobProgressIndicator">
        <module name="EnablePreview">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="HiddenChartFormatter">
                <param name="charting.chart">pie</param>
                <module name="FlashChart">
                    <param name="width">100%</param>
                        <param name="enableResize">true</param>

                        <module name="HiddenSearch">
          <param name="search">`networkindex` type=ips | fields _time dest_app src_ip dest_ip src_port dest_port | fields - _raw </param>
          <!-- this module will grab the value we clicked on and put it in as a searchterm,   series="someSourcetype".   -->
          <module name="ConvertToIntention" layoutPanel="panel_row4_col1">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="dest_app">$click.value$</param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>
            </param>

            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>
               <module name="Pager">
                       <param name="count">10</param>
                 <module name="SimpleResultsTable">
                        <param name="drilldown">row</param>
            </module>
          </module>
        </module>
    </module>
        </module>
      </module>
    </module>

                </module>
            </module>
        </module>
        </module>

    <module name="Tabs" layoutPanel="panel_row3_col2" autoRun="True">
        <param name="name">selectedTab</param>
        <param name="staticTabs">
          <list>
        <param name="label">Attacks</param>
        <param name="value">attack_name</param>
          </list>
          <list>
        <param name="label">Service</param>
        <param name="value">dest_app</param>
          </list>
          <list>
        <param name="label">Source IP</param>
        <param name="value">src_ip</param>
          </list>
          <list>
        <param name="label">Destination IP</param>
        <param name="value">dest_ip</param>
          </list>
          <list>
        <param name="label">User</param>
        <param name="value">user</param>
          </list>

        </param>


        <module name="Search">    
        <param name="search">`networkindex` type=ips | stats  sparkline count by $selectedTab$ | sort -count</param>  
        <module name="Pager">
        <param name="count">10</param>
          <module name="SimpleResultsTable">
            <param name="drilldown">row</param>
          </module>
        </module>
         </module>

sideview
SplunkTrust
SplunkTrust

You are using Sideview Utils in some places, and not in others, which I think is most of your confusion.

I went ahead and quickly cleaned up your view, and took out places where you were still using intentions, replaced HiddenSearch modules with Search.

Also a lot of your config looks like it was once upon a time converted from "simple xml". Unfortunately the splunk simple xml system has a number of longstanding bugs in it, such that the equivalent Advanced XML, once converted, has a bunch of meaningless or redundant params and modules in it, and it always has 4 extra layers of indentation. I've removed these as well.

You might want to double check all the layoutPanels because I might have messed those up as I was cleaning things up and removing modules.

<module name="AccountBar" layoutPanel="appHeader" />

<module name="AppBar" layoutPanel="appHeader" />

<module name="SideviewUtils" layoutPanel="appHeader" />

<module name="Message" layoutPanel="messaging">
  <param name="filter">*</param>
  <param name="maxSize">2</param>
  <param name="clearOnJobDispatch">False</param>
</module>

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search"><![CDATA[
    `networkindex` type=ips  | top limit=10 attack_name
  ]]></param>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">pie</param>

    <module name="JobProgressIndicator" />

    <module name="FlashChart">
      <param name="width">100%</param>
      <param name="height">180px</param>
      <param name="enableResize">False</param>

      <module name="Search">
        <param name="search">`networkindex` type=ips attack_name="$click.value$" | fields _time attack_name src_ip dest_ip src_port dest_port dest_app | fields - _raw </param>

        <module name="JobProgressIndicator" />

        <module name="Pager">

          <module name="SimpleResultsTable" />
        </module>
      </module>
    </module>
  </module>
</module>

<module name="Search" layoutPanel="panel_row1_col2" group="Top 10 Users" autoRun="True">
  <param name="search">`networkindex` type=ips user!=n/a | top limit=10 user | fields user, count</param>

  <module name="JobProgressIndicator" />

  <module name="EnablePreview">
    <param name="enable">True</param>
    <param name="display">False</param>
  </module>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">bar</param>

    <module name="FlashChart">
      <param name="width">100%</param>
      <param name="enableResize">true</param>

      <module name="Search">
        <param name="search">`networkindex` type=ips user="$click.value$" | fields _time user src_ip dest_ip src_port dest_port dest_app | fields - _raw </param>

        <module name="JobProgressIndicator"  layoutPanel="panel_row4_col1"/>

        <module name="Pager" layoutPanel="panel_row4_col1">

          <module name="SimpleResultsTable" />
        </module>
      </module>
    </module>
  </module>
</module>

<module name="Search" layoutPanel="panel_row3_col1" group="Service" autoRun="True">
  <param name="search">`networkindex` type=ips | table dest_app | chart count(dest_app) over dest_app </param>

  <module name="JobProgressIndicator" />

  <module name="EnablePreview">
    <param name="enable">True</param>
    <param name="display">False</param>
  </module>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">pie</param>

    <module name="FlashChart">
      <param name="width">100%</param>
      <param name="enableResize">true</param>

      <module name="Search">
        <param name="search">`networkindex` type=ips dest_app="$click.value$" | fields _time dest_app src_ip dest_ip src_port dest_port | fields - _raw </param>

        <module name="JobProgressIndicator"  layoutPanel="panel_row4_col1"/>

        <module name="Pager" layoutPanel="panel_row4_col1">

          <module name="SimpleResultsTable" />
        </module>
      </module>
    </module>
  </module>
</module>

<module name="Tabs" layoutPanel="panel_row3_col2" autoRun="True">
  <param name="name">selectedTab</param>
  <param name="staticTabs">
    <list>
      <param name="label">Attacks</param>
      <param name="value">attack_name</param>
    </list>
    <list>
      <param name="label">Service</param>
      <param name="value">dest_app</param>
    </list>
    <list>
      <param name="label">Source IP</param>
      <param name="value">src_ip</param>
    </list>
    <list>
      <param name="label">Destination IP</param>
      <param name="value">dest_ip</param>
    </list>
    <list>
      <param name="label">User</param>
      <param name="value">user</param>
    </list>
  </param>

  <module name="Search">
    <param name="search">`networkindex` type=ips | stats  sparkline count by $selectedTab$ | sort -count</param>

    <module name="Pager">

      <module name="SimpleResultsTable">
        <param name="drilldown">row</param>
      </module>
    </module>
  </module>
</module>
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!