I have a dashboard which has a table of events.
I want to create a drilldown from the row to another dashboard which just shows information from that 1 event.
What is the best way of uniquely identifying that event?
N.B this is purely an example, not the real data. Reason being, I would like a generic way of achieving this if possible.
e.g. Dashboard 1 shows "index=_internal | table _time,clientip,eventtype":
_time,clientip,eventtype 10:00,10.1.1.1,access 11:00,10.01.1.1,access
Each row of table is 1 event
When click on row "10:00", the next dashboard will have a panel of the raw event from just that event.
Not sure if I explained clearly, so I'm happy to clarify.
Try this sample implementation.
First form (name: simplexmldrilldown)
<dashboard> <label>SimpleXmlDrilldown</label> <row> <table> <searchString>index=_internal clientip=* eventtype=*| eval time=_time| table time,clientip,eventtype </searchString> <earliestTime>-15m</earliestTime> <latestTime>now</latestTime> <drilldown> <link> <![CDATA[ /app/search/secondform?_time=$row.time$&clientip=$row.clientip$&eventtype=$row.eventtype$&earliest=$earliest$&latest=$latest$ ]]> </link> </drilldown> </table> </row> </dashboard>
Second form (name: secondform)
<dashboard> <label>SecondForm</label> <description/> <row> <event> <title>DrilldownEvent</title> <searchString>index=_internal _time="$_time$" clientip=$clientip$ eventtype=$eventtype$ earliest=$earliest$ latest=$latest$</searchString> <earliestTime>0</earliestTime> <latestTime>now</latestTime> <fields>["host","source","sourcetype"]</fields> </event> </row> </dashboard>
You might be able to figure out how the sid and offset come through on the main search page by reading the search app's Python code, and then figure out a way to parlay that information into the thing you want. I'm the kind of person that never says never, so good luck!
"Show Source" runs your search again (by sid) and picks off the offset number based on which entry you clicked on.
Go to a "Show Source" page and replace "show_source" with "flashtimeline" in the URL. You'll see that it runs your search again, but ignores the "offset" parameter - it gives you all the same data as before. So even if you could gather the sid and offset from a table in a dashboard (and there's no obvious way to do so), I'm not convinced you could get the result you want with them anyways.
How does "Show Source" work then? That knows how to highlight the specific event you ran the workflow from.
Looking at the workflow configuration, it uses $@sid$ from the _cd field, could that be used?
There isn't really any way to get your search result without searching for it again. It's not like Splunk assigns an ID to your entry which would then be available to you in the search results, which you could then hook onto. All Splunk knows are the fields and values you gave it.
And since each table is customized, then yes, there's no "generic" way to do what you want.
There is no concept of unique identifier for each events. You need to figure out what all fields (within logs + splunk default) which will make an event unique and pass all those values in drilldown.
Reading this, I'm assuming the only way to identify an event is by using the custom fields and time of that event, and there doesn't exist a generic way of uniquely identifying an event?
i.e., I shouldn't have to search for it over a period of time, as I already know the event I'm looking for.