Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Advanced charting drilldown onclick
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Advanced charting drilldown onclick
Hi all i'm trying to do an advanced view that onclick on the parameter "IP" of a pie chart open a flashtimeline adding the search "IP=the_clicked_value" but it doesnt work because on click it's added also the parameter "count" How can i do this? thanks
<view refresh="1000" template="dashboard.html">
<label>View Fede</label>
<module name="AccountBar" layoutPanel="navigationHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
<param name="search">sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR sourcetype="opsec" OR sourcetype="oracle_audit_*"| eval IP=case(sourcetype=="webseal_access", IP_Source, sourcetype=="wmi:wineventlog:security", Source_Network_Address, sourcetype="opsec", src_ip, sourcetype="oracle_audit_*", host_client) | search [search eventtype="searchIPS2" Direction="Inbound" Severity="Medium" DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP] | stats count by IP | sort count desc</param>
<param name="earliest">1279576800</param>
<param name="latest">1279663200</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">pie</param>
<module name="JobProgressIndicator"/>
<!-- here's the FlashChart that we'll click on -->
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">360px</param>
<!-- we swap out the search to be a timechart.
-->
<module name="HiddenSearch">
<param name="search">search eventtype="searchIPS2" Direction="Inbound" Severity="Medium" </param>
<param name="earliest">1279576800</param>
<param name="latest">1279663200</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="IP">$click.value$</param>
</param>
</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking at the XML I was able to duplicate that problem where count="10" would show up in the search bar after my $click.value$ when redirecting to a flashtimeline view.
So what I did to resolve this was remove
<module name="ConvertToDrilldownSearch">
before the ViewRedirector and don't forget to remove the
</module>
that goes along with it so you can save it. Hopefully this helps.
travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's correct. The XML posted is doing a combination of what is called 'generic drilldown' using the ConvertToDrilldownSearch module, and also 'Custom wired drilldown' using the ConvertToIntention module. See the "UI Examples for 4.1" app on splunkbase, specifically "Advanced XML > Drilldown Intro" that has examples that talk about this.
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
