Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart: Why can't I go to particular values when clicked on

JacobWrdz
Explorer
‎06-07-2022 02:00 AM

Good morning All,

I am creating timechart, which has to show me top values, the query:

query 07.06.png

When I try to click on particular value, like here:

Splunk_community_07.06.png

it directs me to all the events of that kind, not only the max( ) values, which are presented at chart because of the line: 

| timechart span=1d max(Priority_diffrence) by risk_object

Do you have idea how to solve that? Any hints kindly welcome.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2022 04:49 AM

You will need to add a search link to the drilldown section of the chart with an encoded version of the query you want to run. For example, try something like this:

<drilldown>
<link target="_blank">search?q=index%3Dnotable%20sourcetype%3Dstash%20risk_object%3D$click.name2|u$%20$Level_change|u$%20$ITI_type|u$%0A%7C%20eval%20Priority_diffrence%3Dif(Priority_diffrence%3D%22N%2FA%22%2C0%2CPriority_diffrence)%0A%7C%20where%20Priority_diffrence%3D$click.value2|u$%0A%7C%20eval%20Alert_level%20%3D%20Base_Level%20%2B%20Priority_diffrence%0A%7C%20search%20$Alert_level|u$%0A%7C%20timechart%20span%3D1d%20max(Priority_diffrence)%20by%20risk_object&amp;earliest=$Period.earliest|u$&amp;latest=$Period.latest|u$</link>
</drilldown>

 Obviously, I cannot test this so you may need to adjust it to your needs.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 02:11 AM

Hi @JacobWrdz,

you have to correctly set up drilldown, passing the "risk_object" field.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

JacobWrdz
Explorer
‎06-07-2022 02:21 AM

Hi,

thank you for quick reply.

I ma using Drilldown option link to search auto. The "risk_object" actually is fine, it directs me to proper kind of events, but I see the events with different Priority_diffrence - I should see only max(Priority_diffrence), but I see all kinds (0, 1, 2, 3, 4 instead example only 4).

So, to sum up, I have issue with Priority_diffrence only.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 03:44 AM

Hi @JacobWrdz,

in this case you have to pass the max(priority_difference) as drilldown value and manage it into the secondary dashboard.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2022 02:56 AM

Your drilldown is probably only passing risk_object to the search - you will probably have to modify the drilldown link to include the max value.

Can you share your drilldown link code?

0 Karma
Reply
Solved! Jump to solution

JacobWrdz
Explorer
‎06-07-2022 03:54 AM

Thank you both for answers. I pasted below code of whole dashboard- just deleted sensitive data.
The core of my task is to fit everything into 1 dashboard. Currently, when I click on the dashboard value it directs me to following search:

index=notable sourcetype=stash risk_object=* Priority_diffrence="*" risk_object="*" | eval Priority_diffrence=if(Priority_diffrence="N/A",0,Priority_diffrence) | eval Alert_level = Base_Level + Priority_diffrence | search Alert_level="*" risk_object= >restricted data<

It seems that timechart does not understand that I want to see only value Priority_diffrence=3 (case from original post) and gives me all Priority_diffrence values.

 

 

DASHBOARD:

<form theme="dark">
<label>VSOC Alert (Event) Type (Line Chart of Change Amount)</label>
<description>>restricted data<</description>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="Period" searchWhenChanged="true">
<label>Period</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="Alert_level" searchWhenChanged="true">
<label>Alert level</label>
<choice value="*">All</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<default>*</default>
<valuePrefix>Alert_level="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="Level_change" searchWhenChanged="true">
<label>Amount of Alert Level Change (Difference)</label>
<choice value="*">All</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<3</choice>
<choice value=>restricted data<</choice>
<default>*</default>
<valuePrefix>Priority_diffrence="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="ITI_type" searchWhenChanged="true">
<label>ITI type</label>
<choice value="*">All</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=">restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value=>restricted data<</choice>
<choice value= >restricted data< </choice>
<default>*</default>
<valuePrefix>risk_object="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<title>Linechart of alert level change amount</title>
<chart>
<search>
<query>index=notable sourcetype=stash risk_object=* $Level_change$ $ITI_type$
| eval Priority_diffrence=if(Priority_diffrence="N/A",0,Priority_diffrence)
| eval Alert_level = Base_Level + Priority_diffrence
| search $Alert_level$
| timechart span=1d max(Priority_diffrence) by risk_object</query>
<earliest>$Period.earliest$</earliest>
<latest>$Period.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisY.maximumNumber">4</option>
<option name="charting.axisY.minimumNumber">-1</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2022 04:49 AM

You will need to add a search link to the drilldown section of the chart with an encoded version of the query you want to run. For example, try something like this:

<drilldown>
<link target="_blank">search?q=index%3Dnotable%20sourcetype%3Dstash%20risk_object%3D$click.name2|u$%20$Level_change|u$%20$ITI_type|u$%0A%7C%20eval%20Priority_diffrence%3Dif(Priority_diffrence%3D%22N%2FA%22%2C0%2CPriority_diffrence)%0A%7C%20where%20Priority_diffrence%3D$click.value2|u$%0A%7C%20eval%20Alert_level%20%3D%20Base_Level%20%2B%20Priority_diffrence%0A%7C%20search%20$Alert_level|u$%0A%7C%20timechart%20span%3D1d%20max(Priority_diffrence)%20by%20risk_object&amp;earliest=$Period.earliest|u$&amp;latest=$Period.latest|u$</link>
</drilldown>

 Obviously, I cannot test this so you may need to adjust it to your needs.

Reply
Solved! Jump to solution

JacobWrdz
Explorer
‎06-07-2022 06:20 AM

@ITWhisperer THANK YOU! IT worked 🙂 I have to perform some tests and send it to client, but I am 90% sure this it it.

I really appreciate both your help:  @ITWhisperer and @gcusello , once again I found that Splunk community is the best.

 

I modified a bit the code and now it looks like this:

<drilldown>
<link target="_blank">search?q=index%3Dnotable%20sourcetype%3Dstash%20risk_object%3D%22$click.name2|u$%22%20$ITI_type|u$%0A%0A%7C%20eval%20Priority_diffrence%3Dif(Priority_diffrence%3D%22N%2FA%22%2C0%2CPriority_diffrence)%0A%7C%20where%20Priority_diffrence%3D$click.value2|u$%0A%7C%20eval%20Alert_level%20%3D%20Base_Level%20%2B%20Priority_diffrence%0A%7C%20search%20$Alert_level|u$&amp;earliest=$Period.earliest$&amp;latest=$Period.latest$</link>
</drilldown>

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 06:39 AM

Hi @JacobWrdz,

good for you, see next time,

Please accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...