Dashboards & Visualizations

How do you customize a drill-down to open based on which column is clicked on?

DEAD_BEEF
Builder

A statistics table within my dashboard counts the total number of hosts who have a hostname (Named) and total number of blanks (Blank).

I enabled the drill-down and when you click on either value, it just opens the existing query that shows all hosts, those with and without hostnames. I want to set it so that if the user clicks on the values under Named or Blank, then it only searches for those. I'm trying to do it via tokens, but I'm not sure how to pass the column name (Named or Blank) to append to the custom drilldown query | search $clicked_column$

sample data

host       hostname
1.1.1.1    host-1.com
2.2.2.2
3.3.3.3    host-3.com
4.4.4.4    host-4.com
5.5.5.5

SPL

| tstats count where index=network by host 
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| stats count(eval(isnull(hostname))) AS Blank count(eval(isnotnull(hostname))) AS Named 

output

Named    Blank
3        2

desired click on 3 (Named column)

host       hostname
1.1.1.1    host-1.com
3.3.3.3    host-3.com
4.4.4.4    host-4.com

desired click on 2 (Blank column)

host       hostname
2.2.2.2
5.5.5.5
0 Karma
1 Solution

whrg
Motivator

Hello again @DEAD_BEEF!
I would change the statistics table to the following:

| tstats count where index=network by host 
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eval Type=if(isnull(hostname),"Blank","Named")
| stats count by Type

The statistics table will now look as follows:

Type        count
Blank       2
Named       3

Then you add a drilldown (Link to search) as follows:

| tstats count where index=network by host 
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eval Type=if(isnull(hostname),"Blank","Named")
| search Type="$click.value$"
| table host,hostname,Type

Check out this page: Predefined drilldown tokens

EDIT: Instead of displaying a statistics table, you could use two single-value panels: One for Blank and one for Named. I think that makes the dashboard more visually appealing. Also add a drilldown to each single-value panel.

View solution in original post

whrg
Motivator

Hello again @DEAD_BEEF!
I would change the statistics table to the following:

| tstats count where index=network by host 
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eval Type=if(isnull(hostname),"Blank","Named")
| stats count by Type

The statistics table will now look as follows:

Type        count
Blank       2
Named       3

Then you add a drilldown (Link to search) as follows:

| tstats count where index=network by host 
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eval Type=if(isnull(hostname),"Blank","Named")
| search Type="$click.value$"
| table host,hostname,Type

Check out this page: Predefined drilldown tokens

EDIT: Instead of displaying a statistics table, you could use two single-value panels: One for Blank and one for Named. I think that makes the dashboard more visually appealing. Also add a drilldown to each single-value panel.

DEAD_BEEF
Builder

Hey @whrg! I like the idea of using two single-value panels. I'll try messing around with that and see if I can get it to work. The big thing is the existing layout of panels on the dashboard.

Currently there are 4 panels in 1 row across my dashboard (the named/blank) being #2.
[1] [2] [3] [4]

If I can break up the named/blank into two single values BUT display them such that they take up the same spaces "stacked vertically" as [2] then it would be perfect, visually nicer, and make the drilldown simpler.

I'll try a bit and post back.

0 Karma

DEAD_BEEF
Builder

Alright, so two single-value panels wouldn't stack vertically (at least not by default, maybe doable in XML?). So, what I did was take your query and then trellis by Type and that made two single-values on one panel. Looks much better than the plain table and the click for each one is working as intended. Good thinking! Thanks again for all the help.

0 Karma

whrg
Motivator

Your XML should look similar to this:
[panel][single]...[/single][/panel][panel][single]...[/single][/panel]
Remove [/panel][panel] between the two single sections.

DEAD_BEEF
Builder

It worked and looks better than the trellis! Thank you so much for all the assistance.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...