Is it possible to have a customized drilldown result per link? The idea is a form, which will initially result to displaying the different sourcetypes of the search, then per sourcetype result, I can drilldown to a simple table or a stats table that is created based on the sourcetype that is clicked on.
For example, the form search returned 3 sourcetypes, firewall, URL filter and AV. When I click on firewall, it will drill down to a table that shows fields related to the sourcetype (src,dst,port,etc.). Same follows for the other results when clicked on, URL filter (src,dst,URL,operation, argument,user-agent, etc.) and AV (sr,dst,signature,file,etc.)
Hope this is possible and someone can share an idea.
Yes this is possible, there are several different techniques that can be combined:
First, custom drill down lets you specify a link to take per field/series clicked on: http://docs.splunk.com/Documentation/Splunk/6.0/Viz/Dynamicdrilldownindashboardsandforms
Lastly, use tokens to select a macro. This allows you to specify different search snippets based on user input. This is useful in either advanced xml or simple xml.
I downvoted this post because link dead
First item cannot deliver the requirement.
Second item not feasible at this time, I am at 5.0.3.
"Lastly, use tokens to select a macro. This allows you to specify different search snippets based on user input. This is useful in either advanced xml or simple xml."
--> Is this applicable to v5.0.3? Also, would you have references that you can point me to? Thanks.