Dashboards & Visualizations

Use "OTHER" value in drilldown search

mztopp
Explorer

Hello all!

Currently I have a custom drilldown in place that takes a line graph, pulls the time field for earliest (and +1h for latest) and pulls the country associated with the line. This information is used to populate the search with click tokens. i.e. index=mysearch parameters=* | iplocation src_ip | search Country="$token$" | stats count by _time, src_ip, Country ... My hope is to not have to useother=f, but instead find a workaround for Country="OTHER" to understand it means not the other countries in the top 10. Any help is much appreciated!

So, if I were to click the United States line on the graph, all is fine for Country="United States", Canada would be the same success, but OTHER is not an actual value, but a placeholder for the conglomerate of countries that didn't make the top 10. How can I get that to populate as such for the drilldown, but also if a real country is clicked, it would distinguish that as well?

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...