Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Drilldowns in Dashboard Studio
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stiaan
Explorer
09-16-2024
05:50 AM
Hi Splunk,
I created a dashboard with various panels. Some of the panels are tables with drilldown searches allowing you to click on the value, and opening a new tab using the value clicked on ($row.user.value$) in the new search.
However, for some reason the drilldown on one panel opens the search without populating the variable: $row.user.value$
All the other panels' drilldown searches work.
Source code of panel:
{
"type": "splunk.table",
"options": {
"count": 100,
"dataOverlayMode": "none",
"drilldown": "none",
"showRowNumbers": false,
"showInternalFields": false
},
"dataSources": {
"primary": "ds_aaaa"
},
"title": "Panel One (Last 30 Days)",
"eventHandlers": [
{
"type": "drilldown.linkToSearch",
"options": {
"query": "index=\"winlog\" EventCode=4625 user=$row.user.value$",
"earliest": "auto",
"latest": "auto",
"type": "custom",
"newTab": true
}
}
],
"context": {},
"showProgressBar": false,
"showLastUpdated": false
}
The SPL after clicking on the table value:
index="winlog" EventCode=4625 user=$row.user.value$
Why does the $row.user.value$ not populate?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stiaan
Explorer
09-17-2024
03:10 AM
I was able to fix my issue.
I simply added the "rename" function in my main table search.
| advhunt cred=all renew=True query="DeviceProcessEvents | where Timestamp > ago(30d) | where FileName has 'file.exe' | project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName" | spath input=_raw | stats count by AccountName,DeviceName | sort -count
| advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| rename AccountName as user
| stats count by user,DeviceName
| sort -count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stiaan
Explorer
09-17-2024
03:10 AM
I was able to fix my issue.
I simply added the "rename" function in my main table search.
| advhunt cred=all renew=True query="DeviceProcessEvents | where Timestamp > ago(30d) | where FileName has 'file.exe' | project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName" | spath input=_raw | stats count by AccountName,DeviceName | sort -count
| advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| rename AccountName as user
| stats count by user,DeviceName
| sort -count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
09-16-2024
07:15 AM
Please share the rest of the configuration e.g. the data source with the search being used
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stiaan
Explorer
09-17-2024
01:51 AM
Table SPL:
| advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| stats count by AccountName,DeviceName
| sort -count
Source Code of Panel:
{
"type": "splunk.table",
"options": {
"count": 100,
"dataOverlayMode": "none",
"drilldown": "none",
"showRowNumbers": false,
"showInternalFields": false
},
"dataSources": {
"primary": "ds_xxxxx"
},
"title": "File.exe (Last 30 Days)",
"eventHandlers": [
{
"type": "drilldown.linkToSearch",
"options": {
"query": "| inputlookup lookuptable where field1=$row.user.value$\n| table field1, field2",
"earliest": "auto",
"latest": "auto",
"type": "custom",
"newTab": true
}
}
],
"context": {},
"showProgressBar": false,
"showLastUpdated": false
}
SPL for search on click:
| inputlookup lookuptable where field1=$row.user.value$
| table field1, field2
Get Updates on the Splunk Community!
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...
