Dashboards & Visualizations

How to pass all results from a table through a drilldown query

elliotproebstel
Champion

I have a dashboard that displays several tables relating to the contents of emails being monitored by several security devices. One of the tables displays all of the URLs that were extracted from these emails. I've built a drilldown feature that allows analysts to click on an individual URL and open up a new tab pre-populated to search the enterprise web proxy logs for this URL using the token
$result.url$. Is there an easy way to add a link/button that will collect all of the URL values from the table and pass them to a search together?

So in addition to the existing drilldown, which creates a search like this:
index=proxy url="$result.url$"
I'd also like to be able to automatically create one like this:
index=proxy url="$result1.url$" OR url="$result2.url$" OR url="$result3.url$"...

We're on Splunk Enterprise 6.6.2, if it matters. Thanks!

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

That can be done without too much difficulty.

Basically, you will postprocess the table in advance of user action and create a token that contains the value

( ( url=value1 ) OR ( url=value2 ) ... )

...and then you will have a control that populates another token to allow the search to run and to display the panel.

I would recommend that you limit the URLs to some number of top n to avoid making a crazy slow search, but I don't see any other major issues.


Our current go-to expert for this kind of question is @niketnilay.

Niket, do you have an example of this kind of thing posted somewhere yet?

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

That can be done without too much difficulty.

Basically, you will postprocess the table in advance of user action and create a token that contains the value

( ( url=value1 ) OR ( url=value2 ) ... )

...and then you will have a control that populates another token to allow the search to run and to display the panel.

I would recommend that you limit the URLs to some number of top n to avoid making a crazy slow search, but I don't see any other major issues.


Our current go-to expert for this kind of question is @niketnilay.

Niket, do you have an example of this kind of thing posted somewhere yet?

niketn
Legend

@DalJeanis, thanks for the kind words. I think this scenario can be tackled either via post-processing (if the search for first table contains a transforming command), if not it would be better to re-run the search with required filter. The solution to both have already been provided in several answers before by several experts including you :). So we can definitely help but we should get further details to come up with right solution.

@elliotproebstel, can you share your existing search which displays the table with url column? Based on the description seems like you need the clicked column values on drilldown when the column name is url. Once the search executes the column values are always present and are independent of the clicked row. (On click you get entire row values using $row.<fieldname>$. So what is the requirement of getting column values? Also is it only the base search filter where you want to apply the url column values as url="url1" OR url="url2" ...? Details on how you want to use the drilldown from first table would be helpful in assisting you with the same. If you can give the second query you want to run that would be great.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel
Champion

So I think this boils down less to a question of how to format the query and more about dashboard design. It's a pretty busy dashboard already - about 10 input fields, followed by two rows of single values (~6/row), followed by three rows of table (4/row), and then two rows that each contain one table. I share all of that just to emphasize that it's a busy page with a lot of content that's been carefully crafted to fit as much detail as possible on a single screen, as per the requirements of the analysts using it.

So in the middle of all this busy stuff, I've got one table that displays all the URLs that were found in all the emails matching the search performed by the analyst. The SPL of collecting URLs is pretty straightforward - a base search that is shared by all the tables on the page, and this particular table has |stats count by url | sort - count appended to the end. No big deal. But I was trying to figure out if it's possible to add another item into that table that, when clicked, would take the user to a drilldown search for all of the URLs while still allowing them to click on an individual URL and go to a search for just that URL.

But in typing all this out, I'm realizing that it's probably not necessary to preserve the original drilldown for the single URL and doing so might overcomplicate things. So would your advice be to have a non-displayed search that sets a token by appending |stats values(url) AS url | format and use that token in the drilldown? Thank you both, @daljeanis and @niketnilay!

0 Karma

niketn
Legend

@elliotproebstel, if the base search for Post Processing does not have a transforming command it would not be optimized. So with base search containing table or fields as final pipe without any commands like stats chart or timechart, are better off being run as separate searches. Splunk Documentation for Post Processing Best Pratices: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices

Following is a run anywhere example with Splunk's _internal index for splunkd_ui_access sourcetype, which has referer field similar to urls required in current use case. For simplicity there is no post-processing below but you can plug in your existing dashboard.

Based on your last comment this example performs a | stats values(referer) as referer

Using <done> or <progress> Search Event Handler ( Splunk Enterprise 6.5+ ), you should be able to get all URLs as comma separated values using $result.referer$.

Then by using <drilldown> Event Handler for table predefined token $click.value2$ can be used to access the clicked value.

  <row>
    <panel>
      <title>MultiValued Referer</title>
      <table>
        <search>
          <query>index=_internal sourcetype="splunkd_ui_access" referer!="-"
|  stats values(referer) as referer</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <set token="filteredURLs">$result.referer$</set>
          </done>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="clickedURL">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div style="color:blue;">
          <b>Clicked Single URL:</b> $clickedURL$</div>
        <div/>
        <div style="color:green;">
          <b>Comma Separated Multiple URLs:</b> $filteredURLs$</div>
      </html>
    </panel>
  </row>

With the above two provision for the same table, i.e. capability to pull all URLs and also get clicked URL, you can introduce a Check Box or Radio to use either one of the tokens based on what user wants to perform. Please let us know if you need more details.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...