Solved: Re: Need help adding token to my custom drilldown

jcorkey · ‎08-03-2017

Below is my search on my dashboard:

| multisearch [search index=* host=* sourcetype="*" user="*" "type=ADD_USER" | eval rectype1="Created new user"] [search index=* host=* sourcetype="*" "usermod" AND "type=USER_MGMT" | eval rectype2="Added new user to group"] [search host="*" index="secure_logs" sourcetype=linux_secure  "su:" "session opened for user" | eval Date=strftime(_time, "%Y/%m/%d") | rex "by (?<user>[^(]+)" | rex "^[^\)\n]*\):\s+\w+\s+\w+\s+\w+\s+\w+\s+(?P<userOfInterest>\w+)" | eval rectype3= "Switched to different user account"] | stats dc(rectype3) as "Switched to different user account" , dc(rectype2) as "Added new user to group", dc(rectype1) as "Created new user" by user

Below is my drilldown:

<drilldown>
  <condition field="Switched to different user account">
    <set token="user">$click.value2$</set>
    <link target="_blank">search?q=host="*" index="*" user=$user$ sourcetype=linux_secure  "su:" "session opened for user" | rex "by (%3F&lt;user&gt;[^(]%2b)" | rex "^[^\)\n]*\):\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b(%3FP&lt;userOfInterest&gt;\w%2b)" | table _time, userOfInterest, user | rename userOfInterest as "User", user as "Switched to user"&amp;earliest=-4h@h&amp;latest=now</link>
  </condition>
  <condition field="Added new user to group">
    <set token="user">$click.value2$</set>
    <link target="_blank">search?q=index=* host=* sourcetype="*" user=$user$ "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Newly created user", grp as "Added to group"&amp;earliest=-4h@h&amp;latest=now</link>
  </condition>
  <condition field="Created new user">
    <set token="user">$click.value2$</set>
    <link target="_blank">search?q=index=* host=* sourcetype="*" user=$user$ useradd  "type=ADD_USER" | rex "^[^=\n]*=(%3FP&lt;userOfInterest&gt;\w )" | table user, id | rename id as "Added user's id"&amp;earliest=-4h@h&amp;latest=now</link>
  </condition>
  <condition>
    <!-- Optional No Drilldown from other columns-->
  </condition>
</drilldown>

Right now the <set token="user">$click.value2$</set> in my drilldown grabs the values of the rectype in my search on click. I really need it to grab the value of the user which is how the stats chart is been listed "by user" at the end of my search string. I want to have the value instead of the rectype values that is gets when I click.

How can I accomplish this?

cmerriman · ‎08-03-2017

try $row.user$ instead of $click.value2$ this should give you user for any value clicked on in the row.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/PanelreferenceforSimplifiedXML#event_2

View solution in original post

cmerriman · ‎08-03-2017

try $row.user$ instead of $click.value2$ this should give you user for any value clicked on in the row.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/PanelreferenceforSimplifiedXML#event_2

jcorkey · ‎08-03-2017

I have found the answer...Just had to use click.value instead of click.value2

woodcock · ‎08-03-2017

Don't forget to upvote any helpful answers and either submit your own to Accept or Accept the one that really contained the heart of the answer, so that the question is closed.

Need help adding token to my custom drilldown

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?