Re: Multiple Custom Dynamic Drilldowns

mcm10285 · ‎10-06-2013

Is it possible to have a customized drilldown result per link? The idea is a form, which will initially result to displaying the different sourcetypes of the search, then per sourcetype result, I can drilldown to a simple table or a stats table that is created based on the sourcetype that is clicked on.

For example, the form search returned 3 sourcetypes, firewall, URL filter and AV. When I click on firewall, it will drill down to a table that shows fields related to the sourcetype (src,dst,port,etc.). Same follows for the other results when clicked on, URL filter (src,dst,URL,operation, argument,user-agent, etc.) and AV (sr,dst,signature,file,etc.)

Hope this is possible and someone can share an idea.

melting · ‎10-07-2013

Yes this is possible, there are several different techniques that can be combined:

First, custom drill down lets you specify a link to take per field/series clicked on: http://docs.splunk.com/Documentation/Splunk/6.0/Viz/Dynamicdrilldownindashboardsandforms

Second, in page drill down in Simple XML in Splunk 6.0. If you look at the Splunk 6.0 Dashboard Examples (note: requires javascript knowledge)

Lastly, use tokens to select a macro. This allows you to specify different search snippets based on user input. This is useful in either advanced xml or simple xml.

muellernc · ‎06-27-2016

I downvoted this post because link dead

mcm10285 · ‎10-07-2013

First item cannot deliver the requirement.

Second item not feasible at this time, I am at 5.0.3.

"Lastly, use tokens to select a macro. This allows you to specify different search snippets based on user input. This is useful in either advanced xml or simple xml."

--> Is this applicable to v5.0.3? Also, would you have references that you can point me to? Thanks.

Multiple Custom Dynamic Drilldowns

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms