Dashboards & Visualizations
Highlighted

Need help adding token to my custom drilldown

Explorer

Below is my search on my dashboard:

| multisearch [search index=* host=* sourcetype="*" user="*" "type=ADD_USER" | eval rectype1="Created new user"] [search index=* host=* sourcetype="*" "usermod" AND "type=USER_MGMT" | eval rectype2="Added new user to group"] [search host="*" index="secure_logs" sourcetype=linux_secure  "su:" "session opened for user" | eval Date=strftime(_time, "%Y/%m/%d") | rex "by (?<user>[^(]+)" | rex "^[^\)\n]*\):\s+\w+\s+\w+\s+\w+\s+\w+\s+(?P<userOfInterest>\w+)" | eval rectype3= "Switched to different user account"] | stats dc(rectype3) as "Switched to different user account" , dc(rectype2) as "Added new user to group", dc(rectype1) as "Created new user" by user

Below is my drilldown:

<drilldown>
  <condition field="Switched to different user account">
    <set token="user">$click.value2$</set>
    <link target="_blank">search?q=host="*" index="*" user=$user$ sourcetype=linux_secure  "su:" "session opened for user" | rex "by (%3F&lt;user&gt;[^(]%2b)" | rex "^[^\)\n]*\):\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b(%3FP&lt;userOfInterest&gt;\w%2b)" | table _time, userOfInterest, user | rename userOfInterest as "User", user as "Switched to user"&amp;earliest=-4h@h&amp;latest=now</link>
  </condition>
  <condition field="Added new user to group">
    <set token="user">$click.value2$</set>
    <link target="_blank">search?q=index=* host=* sourcetype="*" user=$user$ "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Newly created user", grp as "Added to group"&amp;earliest=-4h@h&amp;latest=now</link>
  </condition>
  <condition field="Created new user">
    <set token="user">$click.value2$</set>
    <link target="_blank">search?q=index=* host=* sourcetype="*" user=$user$ useradd  "type=ADD_USER" | rex "^[^=\n]*=(%3FP&lt;userOfInterest&gt;\w )" | table user, id | rename id as "Added user's id"&amp;earliest=-4h@h&amp;latest=now</link>
  </condition>
  <condition>
    <!-- Optional No Drilldown from other columns-->
  </condition>
</drilldown>

Right now the <set token="user">$click.value2$</set> in my drilldown grabs the values of the rectype in my search on click. I really need it to grab the value of the user which is how the stats chart is been listed "by user" at the end of my search string. I want to have the value instead of the rectype values that is gets when I click.

How can I accomplish this?

0 Karma
Highlighted

Re: Need help adding token to my custom drilldown

Explorer

I have found the answer...Just had to use click.value instead of click.value2

0 Karma
Highlighted

Re: Need help adding token to my custom drilldown

Esteemed Legend

Don't forget to upvote any helpful answers and either submit your own to Accept or Accept the one that really contained the heart of the answer, so that the question is closed.

0 Karma
Highlighted

Re: Need help adding token to my custom drilldown

Super Champion

try $row.user$ instead of $click.value2$ this should give you user for any value clicked on in the row.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/PanelreferenceforSimplifiedXML#event_2

View solution in original post

0 Karma