I've got a dashboard with a pie chart that breaks down port information. When the user clicks on a specific port I want to redirect the user to a new view that will break down the port information (site accessed, etc...). I'm having some problems getting the second dashboard to display properly.
If I redirect to flashtimeline I see that the query sent to Splunk is the query from my original dashboard + the port the user clicked on. So I'm getting the correct subset of data. I have even traced the query getting set to my second dashboard via Firebug and the query looks the same as the one sent to flashtimeline.
How can I use the data from the query getting sent to my second dashboard and create my charts? The first snippet of code in this is from my first dashboard and the second is from my second dashboard.
Thanks for any guidance.
<module name="ServerSideInclude" layoutPanel="panel_row2_col3" group="BotNet Port Breakdown">
<param name="src">botnetsummaryports.html</param>
<module name="HiddenSearch" autoRun="True" layoutPanel="panel_row2_col3">
<param name="search">eventtype="BotNet_Traffic" | eval proto_port=protocol." ".dest_port | fields dest_port, protocol, proto_port | stats count by dest_port </param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">HLC_botnet_dashboard_individual_port_breakdown</param>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" autoRun="True" layoutPanel="panel_row2_col1" group="Top 10 Malware Sites for Port">
<param name="search"> | top limit=10 dest_ip | fields dest_ip, count | sort -count</param>
<module name="JobProgressIndicator"></module>
<module name="HiddenChartFormatter">
<param name="chart">bar</param>
<param name="legend.placement">none</param>
<param name="primaryAxisTitle.text">Malware Site</param>
<param name="secondaryAxisTitle.text">Number of Connections</param>
<param name="charting.seriesColors">[0xFF6600]</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">300px</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
After some work I figured this out. Your suggestion to use hidden intentions worked great. To figure out the rest I needed to figure out how to do a group-by in a plot intention. Here's a link to the answers post that explains what I did.
Thanks again for all of the help!!!!
After some work I figured this out. Your suggestion to use hidden intentions worked great. To figure out the rest I needed to figure out how to do a group-by in a plot intention. Here's a link to the answers post that explains what I did.
Thanks again for all of the help!!!!
This can be done with the stock modules that come with Splunk but it's difficult. (I have my own modules that I've developed and I just use instead of Splunk's and all sorts of stuff like this becomes quite easy. )
With the core modules this particular idea is possible, the basic idea is that in the second view instead of the HiddenSearch module, you want a HiddenIntention and you need to specify a 'plot' intention. So essentially the second view gets the search as it comes out of ConvertToDrilldownSearch, and then the second view layers a 'plot' intention on top of this and the net effect of the plot intention is to tack on the " | top destip"
There's no way to do the fields and the sort, but fortunately the only thing those are actually doing is removing the 'percent' field from the output of the 'top', and I believe you can do this by specifying a fieldHideList parameter in HiddenChartFormatter. If that doesn't work there might be some way of constructing an intention that maps to " | top destip showperc=f" which would do the same thing. However intentions are very finicky as I'm sure you've already figured out. 😃
In the "UI Examples for 4.1" app (which you can download and install from splunkbase using the "launcher" app in splunk), root around in the 60 or so example views for "plot" (I mean search the XML files). You'll find that in one of the drilldown examples it does exactly this -- view A permalinks to view B on a straight-up search for events, and view B tacks on a "plot" intention which layers on top of that base search.
Yes there is. Here's a really dirty trick -- open report builder. Set the pulldowns so that the report is the one you're going to want. Then click the green button to go to step 2 of report builder. Now view the html source of that page. Scan/search through it for the word 'plot'. Towards the bottom you'll see a mangled jumble of JSON -- that is the correct plot intention for whatever report clause you had on the end..
I think I figured out part of my problem. I changed "timechart" to "stats" with fields count and dest_ip. Unfortunately it's doing a stats count(dest_ip) instead of the stats count by dest_ip that I want. Is there a way to do a group-by in the plot intention?
I guess what I'm after is the user clicks on a port value from the pie chart on the first view and gets redirected to the second view where different stats are displayed (bar graph of top 10 sites hit, and various other pie charts).
I've looked at the "UI Examples" and found the views that are using the HiddenIntention. So I need to add a "ConvertToIntention" module to my first view and replace the "HiddenSearch" in my second view with the "HiddenIntention". Is this correct?
How do I implement the "| top limit=10 dest_ip" when I replace the search in the second view with the intention. I can't limit the number of results in my search on the first view.
I want a chart since this isn't really a timechart. Can I replace "timechart" with "chart"? Do you know where I can find docs on plot?
Thanks.