I am working on a custom dashboard for one of our security tools that doesn't need anything fancy like it's own app. All I want to do is be able to "drilldown" on an event and have that take me to an external tool's url. Currently my xml for the dashboard looks something like this:
<search>
<query>index=tool earliest=1@d | table user score url | sort -score</query>
<fields>user, score</fields>
<earliest>0</earliest>
</search>
<option name="charting.chart">column</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<drilldown target="_blank">
<link>
<![CDATA[ $row.url$ ]]>
</link>
In the XML above, when I click on an event, it captures the url from the log, but it appends it to the Splunk url. How to I get it to just open the url? I have been working on this for a couple of days so any help is much appreciated!
Here is a runanywhere sample, you can copy this and try it. In the drilldown, I remove the "http" string and hardcode the protocol string in the link
<dashboard>
<label>Test Dashboard</label>
<row>
<panel>
<table>
<title></title>
<search>
<query>| makeresults | eval url="http://www.splunk.com" | table *</query>
</search>
<drilldown>
<eval token="u">replace($row.url$, "http://", ""</eval>
<link target="_blank">
<![CDATA[ http://$u$ ]]>
</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
This works! Thanks.
This worked great! Thank you. 🙂
This is the answer
I also can't get drilldown to external URL to work. The field ConsoleUrl has the entire url. Using it does not work. Tried removing the https:// and then hard coding it into the drill down link. When clicking on a row in the table get redirected to about:blank.
I am using Splunk 6.5. Really need to get this working. Any help will be appreciated. Thanks.
<table>
<title>Failed Reports</title>
<search>
<query>sourcetype=MobileDiagnosticsReportData Status=Fail DeviceName="$device_tok$"
| replace "https://*" with "*" in ConsoleUrl
| table _time DeviceName UserName Platform PhoneNumbers ProbableRootCause ReportID ConsoleUrl
| sort - _time
</query>
<earliest></earliest>
</search>
<option name="drilldown">row</option>
<drilldown>
<link>
<![CDATA[https://$row.ConsoleUrl$]]>
</link>
</drilldown>
</table>
If I change the drill down link to hard code most of the full URL and use $row.ReportID$ the external link works fine. Something is not working correctly when the field has a full URL.
<drilldown>
<link target="_blank">
<![CDATA[https://narwhal.qanmw.com:8080/MobileDiagnostics/ReportView.aspx?guid=$row.ReportID$]]>
</link>
</drilldown>
Here is a runanywhere sample, you can copy this and try it. In the drilldown, I remove the "http" string and hardcode the protocol string in the link
<dashboard>
<label>Test Dashboard</label>
<row>
<panel>
<table>
<title></title>
<search>
<query>| makeresults | eval url="http://www.splunk.com" | table *</query>
</search>
<drilldown>
<eval token="u">replace($row.url$, "http://", ""</eval>
<link target="_blank">
<![CDATA[ http://$u$ ]]>
</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
When I do that, it forwards me to http://%24u%24...I am guessing that that isn't what is supposed to happen?
hmmm... that's interesting. It's supposed take you to the URL. Which version of Splunk?
Try this
- remove the "http" in the main query ( eval url="www.splunk.com"
)
- remove the eval
tag
- change link to http://$row.url$
That led me down the right path. I used other information in the log to rebuild the url. Thank you!
There are similar drilldown examples in the Splunk 6.x Dashboard Examples app, too.