Solved: Can I click on dashboard to view events in another...

kv · ‎12-04-2022

I tried to view the events in detail on another panel .so, I tried putting in the token Its not showing the clicked events correctly.

Anyone who knows the token concept in drill down please elaborate, I have no idea how it works

yuanliu · ‎12-05-2022

You entered $row.<Account_Name>$ instead of $row.AccountName$, $row.<TaskCategory>$ instead of $row.TaskCategory$.

View solution in original post

yuanliu · ‎12-04-2022

Take this dashboard:

<dashboard version="1.1">
  <label>Token drilldown</label>
  <description>https://community.splunk.com/t5/Getting-Data-In/click-on-dashboard-to-view-events-in-another-panel-in-same/m-p/623151#M107236</description>
  <row>
    <panel>
      <title>Search panel</title>
      <table>
        <search>
          <query>index=_audit
| stats values(action) as action by info reason</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="info_tok">$row.info$</set>
          <set token="reason_tok">$row.reason$</set>
          <set token="action_search_tok">action in mvzip($row.action$, ",")</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>info_tok: $info_tok$ reason_tok: $reason_tok$ action_search_tok: $action_search_tok$</title>
      <event>
        <title>on click</title>
        <search>
          <query>index=_audit info=$info_tok$ reason=$reason_tok$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</dashboard>

The main panel is "Search panel". The query is

index=_audit
| stats values(action) as action by info reason

Then, there are three tokens set based on search results ("drilldown"): info_tok, reason_tok, and action_search_tok. The first two are set as the corresponding values in the stats table, while the third is an attempt to use eval expression to set value (but fails so it is not used).

The second panel, "on-click", lists events meeting the criteria

index=_audit info=$info_tok$ reason=$reason_tok$

Is this the kind of action you are trying?

kv · ‎12-04-2022

Hi yuanLiu

Thanks for your reply,

can you help me to fix the tokens to show the panel for the below search

source="wineventlog:security" | stats count by Account_Name,ip_address, _time

I need to see the events in the same dashboard by clicking the table. but I tried the same it didn't go through

ITWhisperer · ‎12-04-2022

It may not be the search that needs fixing, it is more likely the dashboard. Please share the source of your dashboard in a code block </> so we can try to help you.

kv · ‎12-05-2022

you can refer below. thank you

<form version="1.1" theme="dark">
  <label>Authentication_Log_ Monitoring</label>
  <fieldset submitButton="false">
    <input type="text">
      <label>field1</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Real_Time_Monitoring</title>
      <table>
        <search>
          <query>source="wineventlog:security" | stats count by Account_Name,TaskCategory</query>
          <earliest>rt-120s</earliest>
          <latest>rt</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="Account">$row.&lt;Account_Name&gt;$</set>
          <set token="Task">$row.&lt;TaskCategory&gt;$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <search>
          <query>source="wineventlog:security" Account_Name="$Account$" TaskCategory="$Task$"</query>
          <earliest>rt-120s</earliest>
          <latest>rt</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

.

Also, please let me know what the error is in my script. @ITWhisperer ThankYou!

ITWhisperer · ‎12-06-2022

        <drilldown>
          <set token="Account">$row.Account_Name$</set>
          <set token="Task">$row.TaskCategory$</set>
        </drilldown>

yuanliu · ‎12-05-2022

You entered $row.<Account_Name>$ instead of $row.AccountName$, $row.<TaskCategory>$ instead of $row.TaskCategory$.

Can I click on dashboard to view events in another panel in same dashboard?

field extraction

monitor

XML

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)