Dashboards & Visualizations

Drilldown on specific event

kyleharrison
Path Finder

Hi,

I have a dashboard which has a table of events.

I want to create a drilldown from the row to another dashboard which just shows information from that 1 event.

What is the best way of uniquely identifying that event?

N.B this is purely an example, not the real data. Reason being, I would like a generic way of achieving this if possible.

e.g. Dashboard 1 shows "index=_internal | table _time,clientip,eventtype":

_time,clientip,eventtype
10:00,10.1.1.1,access
11:00,10.01.1.1,access

Each row of table is 1 event
When click on row "10:00", the next dashboard will have a panel of the raw event from just that event.

Not sure if I explained clearly, so I'm happy to clarify.

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this sample implementation.

First form (name: simplexmldrilldown)

<dashboard>
  <label>SimpleXmlDrilldown</label>
  <row>
    <table>
      <searchString>index=_internal clientip=* eventtype=*| eval time=_time| table time,clientip,eventtype </searchString>
      <earliestTime>-15m</earliestTime>
      <latestTime>now</latestTime>
      <drilldown>
  <link>
  <![CDATA[ 
    /app/search/secondform?_time=$row.time$&clientip=$row.clientip$&eventtype=$row.eventtype$&earliest=$earliest$&latest=$latest$
]]>
  </link>
</drilldown>
    </table>
  </row>
</dashboard>

Second form (name: secondform)

<dashboard>
  <label>SecondForm</label>
  <description/>
  <row>
    <event>
      <title>DrilldownEvent</title>
      <searchString>index=_internal _time="$_time$" clientip=$clientip$ eventtype=$eventtype$ earliest=$earliest$ latest=$latest$</searchString>
      <earliestTime>0</earliestTime>
      <latestTime>now</latestTime>      
      <fields>["host","source","sourcetype"]</fields>
    </event>
  </row>
</dashboard>
0 Karma

aweitzman
Motivator

You might be able to figure out how the sid and offset come through on the main search page by reading the search app's Python code, and then figure out a way to parlay that information into the thing you want. I'm the kind of person that never says never, so good luck!

0 Karma

aweitzman
Motivator

"Show Source" runs your search again (by sid) and picks off the offset number based on which entry you clicked on.

Go to a "Show Source" page and replace "show_source" with "flashtimeline" in the URL. You'll see that it runs your search again, but ignores the "offset" parameter - it gives you all the same data as before. So even if you could gather the sid and offset from a table in a dashboard (and there's no obvious way to do so), I'm not convinced you could get the result you want with them anyways.

0 Karma

kyleharrison
Path Finder

How does "Show Source" work then? That knows how to highlight the specific event you ran the workflow from.

Looking at the workflow configuration, it uses $@sid$ from the _cd field, could that be used?

0 Karma

aweitzman
Motivator

There isn't really any way to get your search result without searching for it again. It's not like Splunk assigns an ID to your entry which would then be available to you in the search results, which you could then hook onto. All Splunk knows are the fields and values you gave it.

And since each table is customized, then yes, there's no "generic" way to do what you want.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

There is no concept of unique identifier for each events. You need to figure out what all fields (within logs + splunk default) which will make an event unique and pass all those values in drilldown.

0 Karma

kyleharrison
Path Finder

Reading this, I'm assuming the only way to identify an event is by using the custom fields and time of that event, and there doesn't exist a generic way of uniquely identifying an event?

i.e., I shouldn't have to search for it over a period of time, as I already know the event I'm looking for.

0 Karma

kyleharrison
Path Finder

@somesoni2 - Splunk 6.0 and simple xml if possible.

@aweitzman - Time doesn't work for me because we can have multiple events with the exact same timestamp (to the millisecond)

0 Karma

aweitzman
Motivator

The simple dashboards I've built do this automatically as long as the time is in the first column. Is that not working for you? What happens instead?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Splunk version? Advanced xml or Simple xml?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...