Dashboards & Visualizations

Drilldown question from UI Examples dashboard (panel_row7)

aputz
Path Finder

Hello, I'm having difficulty implementing the drilldown from the example UI dashboard. The search itself works on it's own but this is my first stab at drilldowns and I've hit a wall. After I select a severity from the column chart I am told my drilldown table finishes without any results. Any help is appreciated, I've pasted my code below. Thanks!

      <module name="HiddenSearch" autoRun="True" layoutPanel="panel_row1_col1_grp1">
    <param name="search">sourcetype="pan_threat" subtype="spyware" | chart count by severity</param>
    <module name="HiddenChartFormatter">
      <param name="chart">column</param>
      <param name="chartTitle">Count by Severity</param>
      <param name="legend.placement">none</param>
      <param name="primaryAxisTitle.text">Time</param>
      <param name="secondaryAxisTitle.text">Count</param>
      <module name="JobProgressIndicator"/>
      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">200px</param>
        <param name="enableResize">False</param>
        <module name="HiddenSearch">
          <param name="search">sourcetype="pan_threat" subtype="spyware" | top 10 threatid</param>
          <param name="earliest">-1h</param>
          <!-- this module will grab the value we clicked on and put it in as a searchterm,   severity="someSourcetype".   -->
          <module name="ConvertToIntention" layoutPanel="panel_row1_col1_grp2">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="severity">$click.value$</param>
              </param>
            </param>
            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>
            <!-- We throw in a header so we can tell the user what they clicked on. -->
            <module name="SimpleResultsHeader">
              <param name="entityName">results</param>
              <param name="headerFormat">Top Threats for Severity=$click.value$</param>
            </module>
            <module name="SimpleResultsTable">
              <param name="displayRowNumbers">False</param>
              <param name="drilldown">row</param>
              <param name="entityName">results</param>
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
        </module>
      </module>          
      <module name="SimpleResultsTable">
        <param name="displayRowNumbers">False</param>
        <param name="drilldown">row</param>
        <param name="entityName">results</param>
        <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
        </module>
      </module>
    </module>
  </module>
Tags (2)
0 Karma
1 Solution

thall79
Communicator

Is there a field created called threatid when you run your search?

Travis.

View solution in original post

0 Karma

thall79
Communicator

Is there a field created called threatid when you run your search?

Travis.

0 Karma

thall79
Communicator

Funny how the simple things can throw everything off. Glad I could help. Travis.

0 Karma

aputz
Path Finder

Ahh there we go, it was the "earliest" line conflicting with my TimeRangePicker that controls all the above code. Thanks Travis.

0 Karma

thall79
Communicator

Something else I spotted was the time frame you are using. I am not sure if you are using a TimeRangePicker module but on the first HiddenSearch there was not time range set and then on the second HiddenSearch you have earliest">-1h. I cleared that out and used a TimeRangePicker module to control both searchers. Travis.

0 Karma

thall79
Communicator

Ok cause I was able to take your XML and use a sourcetype for iis that would work with my searches and get a flash chart with a table of the results below that match the flash chart. Then when I click on something in the flash chart another table populate with the top 10 c_ip. Thats why I wondered if you were getting events under the threatid field. And my transforms.conf uses comma delimited expressions for my iis sourcetype. What version of Splunk are you using? Is there a More info... link besides the No results found? Travis.

0 Karma

aputz
Path Finder

threatid is a field that is created in our transforms.conf file via comma delimited expressions. So no, the field already exists before the search.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...