Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a drill down search variable substitution?

umesh
Path Finder
‎10-19-2022 10:35 AM

Hi 

I have two questions here 

1.In the drill down search i have given dest=$dest$ and it is not working and when i click on contributing link it is reflecting the same. 

2. When i click on drilldown search it is taking me to the search window with the time range as last 30 mins but what i expect is the  custom timerange when the event got triggered.

 i kept offset values to default 

Please let me know.

Thanks

 

Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-19-2022 03:14 PM

Depending on whether you are showing a table or chart, there are different tokens available for drilldown giving different attributes. The easy option for tables is to make sure the drilldown option is row, not cell and then use $row.field$ as @richgalloway says

For charts, you can get the X-axis with $click.value$ and the Y-axis with $click.value2$ - see here

https://docs.splunk.com/Documentation/Splunk/9.0.1/Viz/PanelreferenceforSimplifiedXML#Predefined_dri...

so, if you have a timechart, then the click.value will give you time. If you then want your drilldown search to have time constraints, then create earliest/latest tokens to use for the subsequent drilldown search.

Note, if you want to give yourself a window around the clicked time range, then you would have to do some calculations to create a window around the search, e.g.

<eval token="earliest">relative_time($click.value$, "-2m")</eval>
<eval token="latest">relative_time($click.value$, "+2m")</eval>

Just an example that would give a 2 minute +/- window around the clicked time range.

 

 

0 Karma
Reply

umesh
Path Finder
‎10-19-2022 04:16 PM

@bowesmana  I am doing this drill down in enterprise security notable events not in the dashboards the drill down search for getting contributing events for the notable. I am using tokens in the drill down search as index=xxx |search Dest=$dest$ 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-19-2022 01:00 PM

1. Try dest=$row.dest$ as the argument to the drilldown.  It says to use the "dest" field from the clicked table row.  If the dashboard panel is not showing a table then you'll want to use $click.value2$ to represent the thing the user clicked on.

2. To specify a time window in your drilldown search, include earliest and latest keywords, referencing your custom timerange token.

<drilldown>
<link target="_blank">
<![CDATA[
search?q=source="foo" action=$click.value2$ | stats count by
productId&earliest=$timeToken.earliest$&latest=$timeToken.latest$
]]>
</link>
</drilldown>

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...