Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help editing custom drill down

jcorkey
Explorer
‎08-03-2017 06:51 AM

I have dashboard with a search showing a list of users who have done a few specific things. If those users have done those things within the specified time range, they are displayed in the visualization chart. I have my own custom drill downs working right now.

Here is my drill down:

<drilldown>
          <condition field="Switched to different user account">
            <link target="_blank">search?q=host="*" index="*" user="*" sourcetype=linux_secure  "su:" "session opened for user" | rex "by (%3F<user>[^(]%2b)" | rex "^[^\)\n]*\):\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b(%3FP<userOfInterest>\w%2b)" | table _time, user, userOfInterest | rename userOfInterest as "Switched to user"&amp;earliest=-4h@h&amp;latest=now</link>
          </condition>
          <condition field="Added new user to group">
            <link target="_blank">search?q=index=* host=* sourcetype="*" user="*" "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Newly created user", grp as "Added to group"&amp;earliest=-4h@h&amp;latest=now</link>
          </condition>
          <condition field="Created new user">
            <link target="_blank">search?q=index=* host=* sourcetype="*" user="*" useradd  "type=ADD_USER" | rex "^[^=\n]*=(%3FP<userOfInterest>\w )" | table user, id | rename id as "Added user's id"&amp;earliest=-4h@h&amp;latest=now</link>
          </condition>
          <condition>
            <!-- Optional No Drilldown from other columns-->
          </condition>
        </drilldown>

Notice how in each search string under each condition there is a user=""? Well, right now each drilldown search grabs all users because of this BUT how can I have it to where the user field in the drilldown search string will equal whichever user is clicked from the visualization chart? For example, if I click the user "bob" that is list in my visualization chart, I want the user field in my drill down search string to then be user="bob", not user="" like it is right now.

How can I accomplish this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎08-03-2017 07:08 AM

you need to set the token from your search. add <set token="user">$click.value2$</set> in your drilldown
and use that token in user=$user$

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎08-03-2017 07:08 AM

you need to set the token from your search. add <set token="user">$click.value2$</set> in your drilldown
and use that token in user=$user$

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...