Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to drill down from a Splunk dashboard to an external URL?

clarkwh2
Explorer
‎10-05-2016 02:20 PM

I am working on a custom dashboard for one of our security tools that doesn't need anything fancy like it's own app. All I want to do is be able to "drilldown" on an event and have that take me to an external tool's url. Currently my xml for the dashboard looks something like this:

<search>
          <query>index=tool earliest=1@d | table user score url | sort -score</query>
          <fields>user, score</fields>
          <earliest>0</earliest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <drilldown target="_blank">
          <link>
            <![CDATA[ $row.url$ ]]>
          </link>

In the XML above, when I click on an event, it captures the url from the log, but it appends it to the Splunk url. How to I get it to just open the url? I have been working on this for a couple of days so any help is much appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-05-2016 02:39 PM

Here is a runanywhere sample, you can copy this and try it. In the drilldown, I remove the "http" string and hardcode the protocol string in the link

<dashboard>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <table>
        <title></title>
        <search>
          <query>| makeresults | eval url="http://www.splunk.com" | table *</query>
        </search>
        <drilldown>
          <eval token="u">replace($row.url$, "http://", ""</eval>
          <link target="_blank">
            <![CDATA[ http://$u$ ]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

Reply
Solved! Jump to solution

wschulze
Explorer
‎06-09-2017 07:47 AM
  1. use the link tag
  2. $click.value2|n$ -note- the pipe n takes the token w/o escaping special characters
Reply
Solved! Jump to solution

riddellkevin
New Member
‎02-04-2020 05:10 PM

This works! Thanks.

0 Karma
Reply
Solved! Jump to solution

TonyLeeVT
Builder
‎11-29-2018 07:43 AM

This worked great! Thank you. 🙂

Reply
Solved! Jump to solution

mgarciar
Path Finder
‎11-12-2019 10:39 AM

This is the answer

0 Karma
Reply
Solved! Jump to solution

simpkins1958
Contributor
‎10-06-2016 12:29 PM

I also can't get drilldown to external URL to work. The field ConsoleUrl has the entire url. Using it does not work. Tried removing the https:// and then hard coding it into the drill down link. When clicking on a row in the table get redirected to about:blank.

I am using Splunk 6.5. Really need to get this working. Any help will be appreciated. Thanks.

      <table>
        <title>Failed Reports</title>
        <search>
          <query>sourcetype=MobileDiagnosticsReportData Status=Fail DeviceName="$device_tok$" 
               | replace "https://*" with "*" in ConsoleUrl
               | table _time DeviceName UserName Platform PhoneNumbers ProbableRootCause ReportID ConsoleUrl 
               | sort - _time
          </query>
          <earliest></earliest>
        </search>
        <option name="drilldown">row</option>
        <drilldown>
          <link>
            <![CDATA[https://$row.ConsoleUrl$]]>
          </link>
        </drilldown>     
      </table>
0 Karma
Reply
Solved! Jump to solution

simpkins1958
Contributor
‎10-06-2016 12:44 PM

If I change the drill down link to hard code most of the full URL and use $row.ReportID$ the external link works fine. Something is not working correctly when the field has a full URL.

        <drilldown>
          <link target="_blank">
            <![CDATA[https://narwhal.qanmw.com:8080/MobileDiagnostics/ReportView.aspx?guid=$row.ReportID$]]>
          </link>
        </drilldown>
0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-05-2016 02:39 PM

Here is a runanywhere sample, you can copy this and try it. In the drilldown, I remove the "http" string and hardcode the protocol string in the link

<dashboard>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <table>
        <title></title>
        <search>
          <query>| makeresults | eval url="http://www.splunk.com" | table *</query>
        </search>
        <drilldown>
          <eval token="u">replace($row.url$, "http://", ""</eval>
          <link target="_blank">
            <![CDATA[ http://$u$ ]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>
Reply
Solved! Jump to solution

clarkwh2
Explorer
‎10-05-2016 02:52 PM

When I do that, it forwards me to http://%24u%24...I am guessing that that isn't what is supposed to happen?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-05-2016 03:03 PM

hmmm... that's interesting. It's supposed take you to the URL. Which version of Splunk?

Try this
- remove the "http" in the main query ( eval url="www.splunk.com")
- remove the eval tag
- change link to http://$row.url$

Reply
Solved! Jump to solution

clarkwh2
Explorer
‎10-05-2016 03:14 PM

That led me down the right path. I used other information in the log to rebuild the url. Thank you!

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-06-2016 01:17 PM

There are similar drilldown examples in the Splunk 6.x Dashboard Examples app, too.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...