- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Drilldown question from UI Examples dashboard ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I'm having difficulty implementing the drilldown from the example UI dashboard. The search itself works on it's own but this is my first stab at drilldowns and I've hit a wall. After I select a severity from the column chart I am told my drilldown table finishes without any results. Any help is appreciated, I've pasted my code below. Thanks!
<module name="HiddenSearch" autoRun="True" layoutPanel="panel_row1_col1_grp1">
<param name="search">sourcetype="pan_threat" subtype="spyware" | chart count by severity</param>
<module name="HiddenChartFormatter">
<param name="chart">column</param>
<param name="chartTitle">Count by Severity</param>
<param name="legend.placement">none</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">Count</param>
<module name="JobProgressIndicator"/>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
<param name="enableResize">False</param>
<module name="HiddenSearch">
<param name="search">sourcetype="pan_threat" subtype="spyware" | top 10 threatid</param>
<param name="earliest">-1h</param>
<!-- this module will grab the value we clicked on and put it in as a searchterm, severity="someSourcetype". -->
<module name="ConvertToIntention" layoutPanel="panel_row1_col1_grp2">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="severity">$click.value$</param>
</param>
</param>
<!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
<module name="JobProgressIndicator"></module>
<!-- We throw in a header so we can tell the user what they clicked on. -->
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Top Threats for Severity=$click.value$</param>
</module>
<module name="SimpleResultsTable">
<param name="displayRowNumbers">False</param>
<param name="drilldown">row</param>
<param name="entityName">results</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
<module name="SimpleResultsTable">
<param name="displayRowNumbers">False</param>
<param name="drilldown">row</param>
<param name="entityName">results</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a field created called threatid when you run your search?
Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a field created called threatid when you run your search?
Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Funny how the simple things can throw everything off. Glad I could help. Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh there we go, it was the "earliest" line conflicting with my TimeRangePicker that controls all the above code. Thanks Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something else I spotted was the time frame you are using. I am not sure if you are using a TimeRangePicker module but on the first HiddenSearch there was not time range set and then on the second HiddenSearch you have earliest">-1h. I cleared that out and used a TimeRangePicker module to control both searchers. Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok cause I was able to take your XML and use a sourcetype for iis that would work with my searches and get a flash chart with a table of the results below that match the flash chart. Then when I click on something in the flash chart another table populate with the top 10 c_ip. Thats why I wondered if you were getting events under the threatid field. And my transforms.conf uses comma delimited expressions for my iis sourcetype. What version of Splunk are you using? Is there a More info... link besides the No results found? Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
threatid is a field that is created in our transforms.conf file via comma delimited expressions. So no, the field already exists before the search.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
