Dashboards & Visualizations

Drilldowns in Dashboard Studio

Stiaan
Explorer

Hi Splunk, 

I created a dashboard with various panels. Some of the panels are tables with drilldown searches allowing you to click on the value, and opening a new tab using the value clicked on ($row.user.value$) in the new search. 

However, for some reason the drilldown on one panel opens the search without populating the variable: $row.user.value$
All the other panels' drilldown searches work.

Source code of panel:

 

{
    "type": "splunk.table",
    "options": {
        "count": 100,
        "dataOverlayMode": "none",
        "drilldown": "none",
        "showRowNumbers": false,
        "showInternalFields": false
    },
    "dataSources": {
        "primary": "ds_aaaa"
    },
    "title": "Panel One (Last 30 Days)",
    "eventHandlers": [
        {
            "type": "drilldown.linkToSearch",
            "options": {
                "query": "index=\"winlog\" EventCode=4625 user=$row.user.value$",
                "earliest": "auto",
                "latest": "auto",
                "type": "custom",
                "newTab": true
            }
        }
    ],
    "context": {},
    "showProgressBar": false,
    "showLastUpdated": false
}

 


The SPL after clicking on the table value:
index="winlog" EventCode=4625 user=$row.user.value$

Why does the $row.user.value$ not populate?

Labels (1)
0 Karma
1 Solution

Stiaan
Explorer

I was able to fix my issue. 

I simply added the "rename" function in my main table search.

| advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| stats count by AccountName,DeviceName
| sort -count



 

| advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| rename AccountName as user
| stats count by user,DeviceName
| sort -count

 

View solution in original post

0 Karma

Stiaan
Explorer

I was able to fix my issue. 

I simply added the "rename" function in my main table search.

| advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| stats count by AccountName,DeviceName
| sort -count



 

| advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| rename AccountName as user
| stats count by user,DeviceName
| sort -count

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share the rest of the configuration e.g. the data source with the search being used

0 Karma

Stiaan
Explorer

Table SPL:

| advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| stats count by AccountName,DeviceName
| sort -count


Source Code of Panel:

{
    "type": "splunk.table",
    "options": {
        "count": 100,
        "dataOverlayMode": "none",
        "drilldown": "none",
        "showRowNumbers": false,
        "showInternalFields": false
    },
    "dataSources": {
        "primary": "ds_xxxxx"
    },
    "title": "File.exe (Last 30 Days)",
    "eventHandlers": [
        {
            "type": "drilldown.linkToSearch",
            "options": {
                "query": "| inputlookup lookuptable where field1=$row.user.value$\n| table field1, field2",
                "earliest": "auto",
                "latest": "auto",
                "type": "custom",
                "newTab": true
            }
        }
    ],
    "context": {},
    "showProgressBar": false,
    "showLastUpdated": false
}


SPL for search on click:

| inputlookup lookuptable where field1=$row.user.value$
| table field1, field2



0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...