Re: Multiple Custom Dynamic Drilldowns

mcm10285 · ‎10-06-2013

Is it possible to have a customized drilldown result per link? The idea is a form, which will initially result to displaying the different sourcetypes of the search, then per sourcetype result, I can drilldown to a simple table or a stats table that is created based on the sourcetype that is clicked on.

For example, the form search returned 3 sourcetypes, firewall, URL filter and AV. When I click on firewall, it will drill down to a table that shows fields related to the sourcetype (src,dst,port,etc.). Same follows for the other results when clicked on, URL filter (src,dst,URL,operation, argument,user-agent, etc.) and AV (sr,dst,signature,file,etc.)

Hope this is possible and someone can share an idea.

melting · ‎10-07-2013

Yes this is possible, there are several different techniques that can be combined:

First, custom drill down lets you specify a link to take per field/series clicked on: http://docs.splunk.com/Documentation/Splunk/6.0/Viz/Dynamicdrilldownindashboardsandforms

Second, in page drill down in Simple XML in Splunk 6.0. If you look at the Splunk 6.0 Dashboard Examples (note: requires javascript knowledge)

Lastly, use tokens to select a macro. This allows you to specify different search snippets based on user input. This is useful in either advanced xml or simple xml.

muellernc · ‎06-27-2016

I downvoted this post because link dead

mcm10285 · ‎10-07-2013

First item cannot deliver the requirement.

Second item not feasible at this time, I am at 5.0.3.

"Lastly, use tokens to select a macro. This allows you to specify different search snippets based on user input. This is useful in either advanced xml or simple xml."

--> Is this applicable to v5.0.3? Also, would you have references that you can point me to? Thanks.

Multiple Custom Dynamic Drilldowns

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023