Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In current version of Splunk (6.5) is it possible to easily configure dashboard based on summary data to drill down to raw events?

the_wolverine
Champion
‎01-11-2018 02:48 PM

I understand that this can be done using Advanced XML. Does current version of Splunk allow us to more easily do this, and using simple XML?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎01-11-2018 03:40 PM

It looks like it can be done relatively easily based on the 6.x dashboard examples. 

<dashboard>
  <label>Drilldown URL Field Value Clone</label>
  <description>Configure drilldown to redirect users to the URL value of the referer field.</description>
  <row>
    <table>
      <search>
        <query>index=_internal http:// | head 50 | table _time user referer</query>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </search>
      <option name="count">10</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="rowNumbers">false</option>
      <option name="wrap">true</option>
      <drilldown>
        <condition field="referer">
          <link>$click.value2|n$</link>
        </condition>
        <condition field="user">
          <link>https://www.google.com q=$click.value2$</link>
        </condition>
      </drilldown>
    </table>
  </row>
</dashboard>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎01-11-2018 03:40 PM

It looks like it can be done relatively easily based on the 6.x dashboard examples. 

<dashboard>
  <label>Drilldown URL Field Value Clone</label>
  <description>Configure drilldown to redirect users to the URL value of the referer field.</description>
  <row>
    <table>
      <search>
        <query>index=_internal http:// | head 50 | table _time user referer</query>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </search>
      <option name="count">10</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="rowNumbers">false</option>
      <option name="wrap">true</option>
      <drilldown>
        <condition field="referer">
          <link>$click.value2|n$</link>
        </condition>
        <condition field="user">
          <link>https://www.google.com q=$click.value2$</link>
        </condition>
      </drilldown>
    </table>
  </row>
</dashboard>
0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-12-2018 10:09 PM

This doesn't look like it would drill down to raw events, rather it would open an external URL based on a single value that was clicked on.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-11-2018 02:51 PM

The way you would do this is to have your drilldown craft a search for the fields that were summarized in your summary data, including time range and any field key/value pairs summarized in the event clicked on.

There is no way to definitively fetch the exact events that went into summary data.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎01-11-2018 03:02 PM

Do you have an example of how this can be done using simple XML? I'm familiar with overly complicated way that it is done using Advanced XML.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...