Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a drill down search variable substitution?

umesh
Path Finder
‎10-19-2022 10:35 AM

Hi 

I have two questions here 

1.In the drill down search i have given dest=$dest$ and it is not working and when i click on contributing link it is reflecting the same. 

2. When i click on drilldown search it is taking me to the search window with the time range as last 30 mins but what i expect is the  custom timerange when the event got triggered.

 i kept offset values to default 

Please let me know.

Thanks

 

Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-19-2022 03:14 PM

Depending on whether you are showing a table or chart, there are different tokens available for drilldown giving different attributes. The easy option for tables is to make sure the drilldown option is row, not cell and then use $row.field$ as @richgalloway says

For charts, you can get the X-axis with $click.value$ and the Y-axis with $click.value2$ - see here

https://docs.splunk.com/Documentation/Splunk/9.0.1/Viz/PanelreferenceforSimplifiedXML#Predefined_dri...

so, if you have a timechart, then the click.value will give you time. If you then want your drilldown search to have time constraints, then create earliest/latest tokens to use for the subsequent drilldown search.

Note, if you want to give yourself a window around the clicked time range, then you would have to do some calculations to create a window around the search, e.g.

<eval token="earliest">relative_time($click.value$, "-2m")</eval>
<eval token="latest">relative_time($click.value$, "+2m")</eval>

Just an example that would give a 2 minute +/- window around the clicked time range.

 

 

0 Karma
Reply

umesh
Path Finder
‎10-19-2022 04:16 PM

@bowesmana  I am doing this drill down in enterprise security notable events not in the dashboards the drill down search for getting contributing events for the notable. I am using tokens in the drill down search as index=xxx |search Dest=$dest$ 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-19-2022 01:00 PM

1. Try dest=$row.dest$ as the argument to the drilldown.  It says to use the "dest" field from the clicked table row.  If the dashboard panel is not showing a table then you'll want to use $click.value2$ to represent the thing the user clicked on.

2. To specify a time window in your drilldown search, include earliest and latest keywords, referencing your custom timerange token.

<drilldown>
<link target="_blank">
<![CDATA[
search?q=source="foo" action=$click.value2$ | stats count by
productId&earliest=$timeToken.earliest$&latest=$timeToken.latest$
]]>
</link>
</drilldown>

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...