Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In current version of Splunk (6.5) is it possible to easily configure dashboard based on summary data to drill down to raw events?

the_wolverine
Champion
‎01-11-2018 02:48 PM

I understand that this can be done using Advanced XML. Does current version of Splunk allow us to more easily do this, and using simple XML?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎01-11-2018 03:40 PM

It looks like it can be done relatively easily based on the 6.x dashboard examples. 

<dashboard>
  <label>Drilldown URL Field Value Clone</label>
  <description>Configure drilldown to redirect users to the URL value of the referer field.</description>
  <row>
    <table>
      <search>
        <query>index=_internal http:// | head 50 | table _time user referer</query>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </search>
      <option name="count">10</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="rowNumbers">false</option>
      <option name="wrap">true</option>
      <drilldown>
        <condition field="referer">
          <link>$click.value2|n$</link>
        </condition>
        <condition field="user">
          <link>https://www.google.com q=$click.value2$</link>
        </condition>
      </drilldown>
    </table>
  </row>
</dashboard>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎01-11-2018 03:40 PM

It looks like it can be done relatively easily based on the 6.x dashboard examples. 

<dashboard>
  <label>Drilldown URL Field Value Clone</label>
  <description>Configure drilldown to redirect users to the URL value of the referer field.</description>
  <row>
    <table>
      <search>
        <query>index=_internal http:// | head 50 | table _time user referer</query>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </search>
      <option name="count">10</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="rowNumbers">false</option>
      <option name="wrap">true</option>
      <drilldown>
        <condition field="referer">
          <link>$click.value2|n$</link>
        </condition>
        <condition field="user">
          <link>https://www.google.com q=$click.value2$</link>
        </condition>
      </drilldown>
    </table>
  </row>
</dashboard>
0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-12-2018 10:09 PM

This doesn't look like it would drill down to raw events, rather it would open an external URL based on a single value that was clicked on.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-11-2018 02:51 PM

The way you would do this is to have your drilldown craft a search for the fields that were summarized in your summary data, including time range and any field key/value pairs summarized in the event clicked on.

There is no way to definitively fetch the exact events that went into summary data.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎01-11-2018 03:02 PM

Do you have an example of how this can be done using simple XML? I'm familiar with overly complicated way that it is done using Advanced XML.

0 Karma
Reply
Get Updates on the Splunk Community!

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...
Top