Dashboards & Visualizations

Need help editing custom drill down

jcorkey
Explorer

I have dashboard with a search showing a list of users who have done a few specific things. If those users have done those things within the specified time range, they are displayed in the visualization chart. I have my own custom drill downs working right now.

Here is my drill down:

<drilldown>
          <condition field="Switched to different user account">
            <link target="_blank">search?q=host="*" index="*" user="*" sourcetype=linux_secure  "su:" "session opened for user" | rex "by (%3F<user>[^(]%2b)" | rex "^[^\)\n]*\):\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b(%3FP<userOfInterest>\w%2b)" | table _time, user, userOfInterest | rename userOfInterest as "Switched to user"&amp;earliest=-4h@h&amp;latest=now</link>
          </condition>
          <condition field="Added new user to group">
            <link target="_blank">search?q=index=* host=* sourcetype="*" user="*" "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Newly created user", grp as "Added to group"&amp;earliest=-4h@h&amp;latest=now</link>
          </condition>
          <condition field="Created new user">
            <link target="_blank">search?q=index=* host=* sourcetype="*" user="*" useradd  "type=ADD_USER" | rex "^[^=\n]*=(%3FP<userOfInterest>\w )" | table user, id | rename id as "Added user's id"&amp;earliest=-4h@h&amp;latest=now</link>
          </condition>
          <condition>
            <!-- Optional No Drilldown from other columns-->
          </condition>
        </drilldown>

Notice how in each search string under each condition there is a user=""? Well, right now each drilldown search grabs all users because of this BUT how can I have it to where the user field in the drilldown search string will equal whichever user is clicked from the visualization chart? For example, if I click the user "bob" that is list in my visualization chart, I want the user field in my drill down search string to then be user="bob", not user="" like it is right now.

How can I accomplish this?

0 Karma
1 Solution

cmerriman
Super Champion

you need to set the token from your search. add <set token="user">$click.value2$</set> in your drilldown
and use that token in user=$user$

View solution in original post

0 Karma

cmerriman
Super Champion

you need to set the token from your search. add <set token="user">$click.value2$</set> in your drilldown
and use that token in user=$user$

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...