I have a dashboard that contains a panel with 'Statistics Table' visualization of search results.
I use that type of visualization to have a list of 10 single-line records per page.
I don't like the 'Events' view due to its size, my events contain large fields so it would result in huge rows which is not very convenient for users to view.
I also have a couple of panels with the selected event details.
What I want is to have an option to create an event type based on some fields from my search results right in the dashboard or in a separate window opened from the dashboard.
I know I can add a panel with the 'Events' view which will have a button with workflow actions under the event row but it will not look suitable there and besides, I think I don't have control over the displayed fields.
If only I could have a button which would collect data from input components and create a new event type, or at least a drilldown action for any visual object which would result into opening an event type builder window, then it would be great.
Does anyone have any suggestions on this?
Try this , you need change the splunk search url
<dashboard> <row> <panel> <table> <search> <query>index=_internal</query> <earliest>-5m@m</earliest> <latest>now</latest> <done> <eval token="SID">$job.sid$</eval> </done> </search> <option name="count">10</option> <option name="drilldown">cell</option> <drilldown> <link target="_blank">http://localhost:8000/en-US/etb?sid=$SID$&offset=0&namespace=search</link> </drilldown> </table> </panel> </row> </dashboard>
I realized that I can create a drilldown to /manager/search/saved/eventtypes/_new?ns=search&action=edit
But I can't transfer any data from my search results to the form fields.
This will be my last resort in case if there is no other options.