Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Need help editing custom drilldown time range of e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help editing custom drilldown time range of events
Below is my drilldown code:
<drilldown>
<condition field="Switched to different user account">
<set token="user">$click.value$</set>
<link target="_blank">search?q=index="*" host="*" sourcetype="*" "su:" "session opened for user" | rex "by (%3F<SU>[^(]%2b)" | search SU="$user$" | table _time, SU, user | rename SU as "User", user as "Switched to user"&earliest=-168h@h&latest=now</link>
</condition>
<condition field="Added new user to group">
<set token="user">$click.value$</set>
<link target="_blank">search?q=index="*" host="*" sourcetype="*" user=$user$ "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Added to group", grp as "group"&earliest=-168h@h&latest=now</link>
</condition>
<condition field="Created new user">
<set token="user">$click.value$</set>
<link target="_blank">search?q=index="*" host="*" sourcetype="*" user=$user$ useradd "type=ADD_GROUP" | table _time, user, acct | rename acct as "Created user"&earliest=-168h@h&latest=now</link>
</condition>
<condition field="Executed sudo command">
<set token="user">$click.value$</set>
<link target="_blank">search?q=index=* sourcetype=* type="USER_CMD" host=* user=$user$ (action=success OR action=failure OR action=unknown) * | table _time host user cwd command action&earliest=-168h@h&latest=now</link>
</condition>
<condition>
<!-- Optional No Drilldown from other columns-->
</condition>
</drilldown>
Right now you can see that the time range on this code it &earliest=-168h@h&latest=now AKA the last 7 days.
But how do I make this time range based on whatever the time range is set to on the visualization chart before an item is click and this drilldown code is executed? I don't want a set time range hard coded into the drilldown code like it is here, I want it to be whatever it is set to on the panel where my visualization chart is.
How do I accomplish this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to have earliest and latest time tokens available from the selected row, you would need to make sure they are present in your table's transforming command as well.
| stats min(_time) as earliestTime max(_time) as latestTime ....
Then you can use <fields> simpleXML tag for the <table> to display only the required fields (i.e. hide the epoch time fields from display) and yet be able to use them as tokens
<fields>user, "Switched to different user account","Added new user to group","Created new user"</fields>
Finally in your <drilldown> event handler, use tokens $row.earliestTime$ and $row.latestTime$. For example one of the query is modified as below:
<link target="_blank">search?q=index=* sourcetype=* type="USER_CMD" host=* user=$user$ (action=success OR action=failure OR action=unknown) * | table _time host user cwd command action&earliest=$row.earliestTime$&latest=$row.latestTime$</link>
| makeresults | eval message= "Happy Splunking!!!"
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
