Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: dynamic token based drilldown in chart using a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a timechart visualization using a by clause to display two different data sets. I think the number of successful logons and failed logons over time displayed on the same chart...
For example:
action=logon_failure OR action=logon_success | timechart count by action
I want the timechart to have drilldown capability, so when someone clicks on a portion of the chart, a new panel displays the list of usernames that generate that value in the timechart.
I have no problems creating the "pop up" panel using the depends flag, and no problems setting tokens to grab the earliest and latest time values based on the user's click. But how do I capture which by clause attribute the user clicked? How do I pass the "logon_failure" or "logon_success" value so I can use it to filter the search results that drive the new panel?
Any guidance is appreciated. Thanks in advance.
~Wes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@JWBailey , if you have performed timechart by action you will have logon_failure and logon_success as columns which can be picked by using click.name2 predefined drilldown token. Please try the following and see if $tokAction$ picks the value you are interested in.
<drilldown>
<set token="tokAction">$click.name2$</set>
</drilldown>
https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Drilldown_event_tokens
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@JWBailey , if you have performed timechart by action you will have logon_failure and logon_success as columns which can be picked by using click.name2 predefined drilldown token. Please try the following and see if $tokAction$ picks the value you are interested in.
<drilldown>
<set token="tokAction">$click.name2$</set>
</drilldown>
https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Drilldown_event_tokens
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked like a charm, thank you. As is so often I was way over complicating it in my attempts.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
