Getting Data In

Can I click on dashboard to view events in another panel in same dashboard?

kv
Explorer

I tried to view the events in detail on another panel .so, I tried putting in the token Its not showing the clicked events correctly.

Anyone who knows the token concept in drill down please elaborate, I have no idea how it works

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

You entered $row.<Account_Name>$ instead of $row.AccountName$, $row.<TaskCategory>$ instead of $row.TaskCategory$.

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Take this dashboard:

<dashboard version="1.1">
  <label>Token drilldown</label>
  <description>https://community.splunk.com/t5/Getting-Data-In/click-on-dashboard-to-view-events-in-another-panel-in-same/m-p/623151#M107236</description>
  <row>
    <panel>
      <title>Search panel</title>
      <table>
        <search>
          <query>index=_audit
| stats values(action) as action by info reason</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="info_tok">$row.info$</set>
          <set token="reason_tok">$row.reason$</set>
          <set token="action_search_tok">action in mvzip($row.action$, ",")</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>info_tok: $info_tok$ reason_tok: $reason_tok$ action_search_tok: $action_search_tok$</title>
      <event>
        <title>on click</title>
        <search>
          <query>index=_audit info=$info_tok$ reason=$reason_tok$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</dashboard>

The main panel is "Search panel". The query is

index=_audit
| stats values(action) as action by info reason

Then, there are three tokens set based on search results ("drilldown"): info_tok, reason_tok, and action_search_tok. The first two are set as the corresponding values in the stats table, while the third is an attempt to use eval expression to set value (but fails so it is not used).

The second panel, "on-click", lists events meeting the criteria

index=_audit info=$info_tok$ reason=$reason_tok$

Is this the kind of action you are trying?

0 Karma

kv
Explorer

Hi yuanLiu

Thanks for your reply,

can you help me to fix the tokens to show the panel for the below search

source="wineventlog:security" | stats count by Account_Name,ip_address, _time

I need to see the events in the same dashboard by clicking the table. but I tried the same it didn't go through

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It may not be the search that needs fixing, it is more likely the dashboard. Please share the source of your dashboard in a code block </> so we can try to help you.

0 Karma

kv
Explorer

you can refer below. thank you

<form version="1.1" theme="dark">
  <label>Authentication_Log_ Monitoring</label>
  <fieldset submitButton="false">
    <input type="text">
      <label>field1</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Real_Time_Monitoring</title>
      <table>
        <search>
          <query>source="wineventlog:security" | stats count by Account_Name,TaskCategory</query>
          <earliest>rt-120s</earliest>
          <latest>rt</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="Account">$row.&lt;Account_Name&gt;$</set>
          <set token="Task">$row.&lt;TaskCategory&gt;$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <search>
          <query>source="wineventlog:security" Account_Name="$Account$" TaskCategory="$Task$"</query>
          <earliest>rt-120s</earliest>
          <latest>rt</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

.

Also, please let me know what the error is in my script. @ITWhisperer ThankYou!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
        <drilldown>
          <set token="Account">$row.Account_Name$</set>
          <set token="Task">$row.TaskCategory$</set>
        </drilldown>

yuanliu
SplunkTrust
SplunkTrust

You entered $row.<Account_Name>$ instead of $row.AccountName$, $row.<TaskCategory>$ instead of $row.TaskCategory$.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...