Splunk Enterprise Security

creating drilldown panel based on the selected value in $click.value$

ManishVilla7
Explorer

I want to create a drilldown panel that will run different searches based on the value selected i.e. $click.value$.

search for panel 1 is something like-
my query| top sourcetype
user will click on a sourcetype and then a new panel will come up and i want to give a table with relevant fields based on the selected sourcetype. For example, if the selected sourcetype is firewall, we need to give src dest session_id etc and if the sourcetype is mailbox we need to give sender_email_id receiver_email_id etc.

So, i want to execute table command in my panel 2 based on the sourcetype under consideration.

@somesoni2 @woodcock @gcusello @mayurr98 @rmmiller please help!!

0 Karma

vnravikumar
Champion

Hi

Try this

<dashboard>
  <label>drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |top sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="sourcetype">$row.sourcetype$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$sourcetype$">
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype="$sourcetype$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

ManishVilla7
Explorer

we have to execute different table commands based on the value of the sourcetype, this is just passing sourcetype. I want that if the value of $sourcetype$ is ! then table A runs in panel 2, if sourcetype is B then table B runs.

0 Karma

vnravikumar
Champion

Hi

Check this

<dashboard>
  <label>drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |top sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition match="'row.sourcetype' == &quot;mongod&quot;">
            <set token="sourcetype">$row.sourcetype$</set>
            <set token="table">|table date_hour,date_mday,date_second</set>
          </condition>
           <condition match="'row.sourcetype' == &quot;splunkd&quot;">
            <set token="sourcetype">$row.sourcetype$</set>
            <set token="table">|table group,name</set>
          </condition>
          <condition></condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$sourcetype$">
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype="$sourcetype$" $table$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...