Good morning All,
I am creating timechart, which has to show me top values, the query:
When I try to click on particular value, like here:
it directs me to all the events of that kind, not only the max( ) values, which are presented at chart because of the line:
| timechart span=1d max(Priority_diffrence) by risk_object
Do you have idea how to solve that? Any hints kindly welcome.
You will need to add a search link to the drilldown section of the chart with an encoded version of the query you want to run. For example, try something like this:
<drilldown>
<link target="_blank">search?q=index%3Dnotable%20sourcetype%3Dstash%20risk_object%3D$click.name2|u$%20$Level_change|u$%20$ITI_type|u$%0A%7C%20eval%20Priority_diffrence%3Dif(Priority_diffrence%3D%22N%2FA%22%2C0%2CPriority_diffrence)%0A%7C%20where%20Priority_diffrence%3D$click.value2|u$%0A%7C%20eval%20Alert_level%20%3D%20Base_Level%20%2B%20Priority_diffrence%0A%7C%20search%20$Alert_level|u$%0A%7C%20timechart%20span%3D1d%20max(Priority_diffrence)%20by%20risk_object&earliest=$Period.earliest|u$&latest=$Period.latest|u$</link>
</drilldown>
Obviously, I cannot test this so you may need to adjust it to your needs.
Hi,
thank you for quick reply.
I ma using Drilldown option link to search auto. The "risk_object" actually is fine, it directs me to proper kind of events, but I see the events with different Priority_diffrence - I should see only max(Priority_diffrence), but I see all kinds (0, 1, 2, 3, 4 instead example only 4).
So, to sum up, I have issue with Priority_diffrence only.
Hi @JacobWrdz,
in this case you have to pass the max(priority_difference) as drilldown value and manage it into the secondary dashboard.
Ciao.
Giuseppe
Your drilldown is probably only passing risk_object to the search - you will probably have to modify the drilldown link to include the max value.
Can you share your drilldown link code?
Thank you both for answers. I pasted below code of whole dashboard- just deleted sensitive data.
The core of my task is to fit everything into 1 dashboard. Currently, when I click on the dashboard value it directs me to following search:
index=notable sourcetype=stash risk_object=* Priority_diffrence="*" risk_object="*" | eval Priority_diffrence=if(Priority_diffrence="N/A",0,Priority_diffrence) | eval Alert_level = Base_Level + Priority_diffrence | search Alert_level="*" risk_object= >restricted data<
It seems that timechart does not understand that I want to see only value Priority_diffrence=3 (case from original post) and gives me all Priority_diffrence values.
DASHBOARD:
<form theme="dark">
<label>VSOC Alert (Event) Type (Line Chart of Change Amount)</label>
<description>>restricted data<</description>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="Period" searchWhenChanged="true">
<label>Period</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="Alert_level" searchWhenChanged="true">
<label>Alert level</label>
<choice value="*">All</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<default>*</default>
<valuePrefix>Alert_level="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="Level_change" searchWhenChanged="true">
<label>Amount of Alert Level Change (Difference)</label>
<choice value="*">All</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<3</choice>
<choice value=>restricted data<</choice>
<default>*</default>
<valuePrefix>Priority_diffrence="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="ITI_type" searchWhenChanged="true">
<label>ITI type</label>
<choice value="*">All</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=">restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value= >restricted data< </choice>
<default>*</default>
<valuePrefix>risk_object="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<title>Linechart of alert level change amount</title>
<chart>
<search>
<query>index=notable sourcetype=stash risk_object=* $Level_change$ $ITI_type$
| eval Priority_diffrence=if(Priority_diffrence="N/A",0,Priority_diffrence)
| eval Alert_level = Base_Level + Priority_diffrence
| search $Alert_level$
| timechart span=1d max(Priority_diffrence) by risk_object</query>
<earliest>$Period.earliest$</earliest>
<latest>$Period.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisY.maximumNumber">4</option>
<option name="charting.axisY.minimumNumber">-1</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
You will need to add a search link to the drilldown section of the chart with an encoded version of the query you want to run. For example, try something like this:
<drilldown>
<link target="_blank">search?q=index%3Dnotable%20sourcetype%3Dstash%20risk_object%3D$click.name2|u$%20$Level_change|u$%20$ITI_type|u$%0A%7C%20eval%20Priority_diffrence%3Dif(Priority_diffrence%3D%22N%2FA%22%2C0%2CPriority_diffrence)%0A%7C%20where%20Priority_diffrence%3D$click.value2|u$%0A%7C%20eval%20Alert_level%20%3D%20Base_Level%20%2B%20Priority_diffrence%0A%7C%20search%20$Alert_level|u$%0A%7C%20timechart%20span%3D1d%20max(Priority_diffrence)%20by%20risk_object&earliest=$Period.earliest|u$&latest=$Period.latest|u$</link>
</drilldown>
Obviously, I cannot test this so you may need to adjust it to your needs.
@ITWhisperer THANK YOU! IT worked 🙂 I have to perform some tests and send it to client, but I am 90% sure this it it.
I really appreciate both your help: @ITWhisperer and @gcusello , once again I found that Splunk community is the best.
I modified a bit the code and now it looks like this:
<drilldown>
<link target="_blank">search?q=index%3Dnotable%20sourcetype%3Dstash%20risk_object%3D%22$click.name2|u$%22%20$ITI_type|u$%0A%0A%7C%20eval%20Priority_diffrence%3Dif(Priority_diffrence%3D%22N%2FA%22%2C0%2CPriority_diffrence)%0A%7C%20where%20Priority_diffrence%3D$click.value2|u$%0A%7C%20eval%20Alert_level%20%3D%20Base_Level%20%2B%20Priority_diffrence%0A%7C%20search%20$Alert_level|u$&earliest=$Period.earliest$&latest=$Period.latest$</link>
</drilldown>
Hi @JacobWrdz,
good for you, see next time,
Please accept one answer for the other people of Community.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉