Dashboards & Visualizations

In current version of Splunk (6.5) is it possible to easily configure dashboard based on summary data to drill down to raw events?

the_wolverine
Champion

I understand that this can be done using Advanced XML. Does current version of Splunk allow us to more easily do this, and using simple XML?

0 Karma
1 Solution

the_wolverine
Champion

It looks like it can be done relatively easily based on the 6.x dashboard examples.

<dashboard>
  <label>Drilldown URL Field Value Clone</label>
  <description>Configure drilldown to redirect users to the URL value of the referer field.</description>
  <row>
    <table>
      <search>
        <query>index=_internal http:// | head 50 | table _time user referer</query>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </search>
      <option name="count">10</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="rowNumbers">false</option>
      <option name="wrap">true</option>
      <drilldown>
        <condition field="referer">
          <link>$click.value2|n$</link>
        </condition>
        <condition field="user">
          <link>https://www.google.com q=$click.value2$</link>
        </condition>
      </drilldown>
    </table>
  </row>
</dashboard>

View solution in original post

0 Karma

the_wolverine
Champion

It looks like it can be done relatively easily based on the 6.x dashboard examples.

<dashboard>
  <label>Drilldown URL Field Value Clone</label>
  <description>Configure drilldown to redirect users to the URL value of the referer field.</description>
  <row>
    <table>
      <search>
        <query>index=_internal http:// | head 50 | table _time user referer</query>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </search>
      <option name="count">10</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="rowNumbers">false</option>
      <option name="wrap">true</option>
      <drilldown>
        <condition field="referer">
          <link>$click.value2|n$</link>
        </condition>
        <condition field="user">
          <link>https://www.google.com q=$click.value2$</link>
        </condition>
      </drilldown>
    </table>
  </row>
</dashboard>
0 Karma

micahkemp
Champion

This doesn't look like it would drill down to raw events, rather it would open an external URL based on a single value that was clicked on.

0 Karma

micahkemp
Champion

The way you would do this is to have your drilldown craft a search for the fields that were summarized in your summary data, including time range and any field key/value pairs summarized in the event clicked on.

There is no way to definitively fetch the exact events that went into summary data.

0 Karma

the_wolverine
Champion

Do you have an example of how this can be done using simple XML? I'm familiar with overly complicated way that it is done using Advanced XML.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...