Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Value from Rex Command in Interactive Drilldown Dashboard

ramuzzini
Path Finder
3 weeks ago

Need help with creating an interactive drill down with value extracted using the rex command.  I want to monitor users saving files to a certain folder and also sort and look at file extension types that are saved in folder and by who.  Raw test data has: time, user, computer, directory and document as seen below.

Test Data
_time                     user_name      computer_name      source_directory                document
10/11/2024      user1                  Destop_user1            \\cpn-local\priv\cus\      document1.pdf
10/11/2024      user4                 Destop_user1             \\cpn-local\priv\cus\      document2.doc
10/10/2024      user1                 Destop_user1             \\cpn-local\priv\cus\      document3.pdf
10/10/2024      user2                 Destop_user2             \\cpn-local\priv\cus\      document4.pdf
10/9/2024         user3                 Destop_user3             \\cpn-local\priv\cus\      document5.pdf
10/9/2024         user4                 Destop_user4             \\cpn-local\priv\cus\      document6.doc
10/9/2024         user2                 Destop_user2             \\cpn-local\priv\cus\      document7.doc

I have created a drill using a token value of the queried data from the raw logs which allows me to selecte a user from a pie chart and show all logs in a second table. Those two dashboard panels are below and work.

***User Pie Chart with the drilldown token: token_user=$click.value$ ***
index="user_files"
| rex field="document" "\.(?<extension>[^\.]*$$)"
| stats count(user_name) BY user_name

***User Record Table ***
index="user_files" user_name = $token$
| table _time, user_name, computer_name, source_directory, document

I am now trying to create a dashboard taking the same raw data, add a rex command to filter out extension and have the pie chart show the specific file extension I have logs from an index which I have done using the following query

*** File Extension Pie Chart:  Works ***
index="user_files"
| rex field="document" "\.(?<extension>[^\.]*$$)"
| stats count(extension) by extension

However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results.

*** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart **
index="user_files" source=$*token$
| table _time, user_name, computer_name, source_directory, document

I also tried (index="user_files" extension=$*token$") and ("|where extension="$token$") in the query and still no results are seen in the record table.

Any help would be greatly appreciated.  I understand the logic needed, just having problems executing the drill down.   Thanks

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ramuzzini
Path Finder
3 weeks ago

Figured it out:

 

*** File Extension Pie Chart:  Works ***
index="user_files"
| rex field="document" "\.(?<extension>[^\.]*$$)"
| stats count(extension) by extension

However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results.

*** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart **
index="user_files" 
| rex field="document" "\.(?<extension>[^\.]*$$)"
| where extension = "$token$"
| table ...

Thanks PickleRick for given a response in helping figure this out.  Much appreciate. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ramuzzini
Path Finder
3 weeks ago

The token value I am trying to carry over in my table is the(token=$click.value$) using the field extracted In the drilldown editor.  I have my values/parameters set to:

on click  set "token"= $click.value$.  I named my token name "Token" in the drilldown editor for simplicity. 

In initial post I stated ***User Pie Chart with the drilldown token: token_user=$click.value$ *** 
            but  should by 
***User Pie Chart with the drilldown token: "token"=$click.value$ ***

*** File Extension Pie Chart with the drilldown token: "token"=$click.value$ ***

index="user_files"
| rex field="document" "\.(?<extension>[^\.]*$$)"
| stats count(extension) by extension

However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results.

*** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart **

index="user_files" source=$*token$
| table _time, user_name, computer_name, source_directory, document

Apologize for the confusion.  Hope that clears it up a little.

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

It's no confusion. I meant to show you that you're trying to use a token named "*token". Even if it was syntactically correct which I doubt - I think the token name syntax is more restricted - it would still be a different token than the one you have defined.

If you define a token named "token" you use it as $token$, not $*token$, not $my_token$,  not $token_I_forgot_about$. These are all different literals.

0 Karma
Reply
Solved! Jump to solution
Solution

ramuzzini
Path Finder
3 weeks ago

Figured it out:

 

*** File Extension Pie Chart:  Works ***
index="user_files"
| rex field="document" "\.(?<extension>[^\.]*$$)"
| stats count(extension) by extension

However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results.

*** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart **
index="user_files" 
| rex field="document" "\.(?<extension>[^\.]*$$)"
| where extension = "$token$"
| table ...

Thanks PickleRick for given a response in helping figure this out.  Much appreciate. 

0 Karma
Reply
Solved! Jump to solution

ramuzzini
Path Finder
3 weeks ago

That was a type, copy and pasted.   My token I am using in my search string is (source=$token$)  Not sure where/why I added the (*) in the token name. 

0 Karma
Reply
Solved! Jump to solution

ramuzzini
Path Finder
3 weeks ago

Realizing I need to run the rex command in my table because Splunk doesn't have any value in that search fin the raw data to associated with the token.  Going to try some alternative queries for now to see if I can come up with the solution now considering that. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

$*token$ - what is it supposed to be? Maybe, just maybe *$token$ could work. Definitely not the way you're trying to do. You have no token named "*token"

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...