Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown question from UI Examples dashboard (panel_row7)

aputz
Path Finder
‎11-29-2010 10:49 PM

Hello, I'm having difficulty implementing the drilldown from the example UI dashboard. The search itself works on it's own but this is my first stab at drilldowns and I've hit a wall. After I select a severity from the column chart I am told my drilldown table finishes without any results. Any help is appreciated, I've pasted my code below. Thanks!

      <module name="HiddenSearch" autoRun="True" layoutPanel="panel_row1_col1_grp1">
    <param name="search">sourcetype="pan_threat" subtype="spyware" | chart count by severity</param>
    <module name="HiddenChartFormatter">
      <param name="chart">column</param>
      <param name="chartTitle">Count by Severity</param>
      <param name="legend.placement">none</param>
      <param name="primaryAxisTitle.text">Time</param>
      <param name="secondaryAxisTitle.text">Count</param>
      <module name="JobProgressIndicator"/>
      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">200px</param>
        <param name="enableResize">False</param>
        <module name="HiddenSearch">
          <param name="search">sourcetype="pan_threat" subtype="spyware" | top 10 threatid</param>
          <param name="earliest">-1h</param>
          <!-- this module will grab the value we clicked on and put it in as a searchterm,   severity="someSourcetype".   -->
          <module name="ConvertToIntention" layoutPanel="panel_row1_col1_grp2">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="severity">$click.value$</param>
              </param>
            </param>
            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>
            <!-- We throw in a header so we can tell the user what they clicked on. -->
            <module name="SimpleResultsHeader">
              <param name="entityName">results</param>
              <param name="headerFormat">Top Threats for Severity=$click.value$</param>
            </module>
            <module name="SimpleResultsTable">
              <param name="displayRowNumbers">False</param>
              <param name="drilldown">row</param>
              <param name="entityName">results</param>
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
        </module>
      </module>          
      <module name="SimpleResultsTable">
        <param name="displayRowNumbers">False</param>
        <param name="drilldown">row</param>
        <param name="entityName">results</param>
        <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
        </module>
      </module>
    </module>
  </module>
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thall79
Communicator
‎11-30-2010 03:47 PM

Is there a field created called threatid when you run your search?

Travis.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thall79
Communicator
‎11-30-2010 03:47 PM

Is there a field created called threatid when you run your search?

Travis.

0 Karma
Reply
Solved! Jump to solution

thall79
Communicator
‎12-02-2010 06:14 PM

Funny how the simple things can throw everything off. Glad I could help. Travis.

0 Karma
Reply
Solved! Jump to solution

aputz
Path Finder
‎12-02-2010 02:39 PM

Ahh there we go, it was the "earliest" line conflicting with my TimeRangePicker that controls all the above code. Thanks Travis.

0 Karma
Reply
Solved! Jump to solution

thall79
Communicator
‎11-30-2010 08:52 PM

Something else I spotted was the time frame you are using. I am not sure if you are using a TimeRangePicker module but on the first HiddenSearch there was not time range set and then on the second HiddenSearch you have earliest">-1h. I cleared that out and used a TimeRangePicker module to control both searchers. Travis.

0 Karma
Reply
Solved! Jump to solution

thall79
Communicator
‎11-30-2010 07:40 PM

Ok cause I was able to take your XML and use a sourcetype for iis that would work with my searches and get a flash chart with a table of the results below that match the flash chart. Then when I click on something in the flash chart another table populate with the top 10 c_ip. Thats why I wondered if you were getting events under the threatid field. And my transforms.conf uses comma delimited expressions for my iis sourcetype. What version of Splunk are you using? Is there a More info... link besides the No results found? Travis.

0 Karma
Reply
Solved! Jump to solution

aputz
Path Finder
‎11-30-2010 06:58 PM

threatid is a field that is created in our transforms.conf file via comma delimited expressions. So no, the field already exists before the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...