Splunk Enterprise

Network Diagram Viz: Drilldown to nodes vs. links

rikinet
Path Finder

I want to use drilldowns on a "Network Diagram Viz" custom visualization in a dashboard. I want to show / hide panels depending on whether a node or a link has been clicked in the graph. So I finally need two tokens, $is_node$ and $is_link$, to drive my <panel depends=...> clauses.

I tried various ideas with no success so far, and most of them seem rather clumsy for the small task.

Attempt 1: Splunk Drilldowns -> $row.<fieldname>$:

"Available fields depend on whether a node or link was double clicked:
Double clicking nodes: row.from, row.value, row.type, row.color

Double clicking links: row.from, row.to, row.linkColor, row.linkText, row.linkWidth"

Problem: When clicking first a link and then a node, the link-related variables are not reset, so testing for isnull(row.to) does not help much.

Attempt 2: Same approach, but using the visualization's own token, $nd_to_node_token$

"Node (to): The 'to' field of the selected link. Defaults to $nd_to_node_token$"

Same problem as above. When clicking a node, it retains the value of a previously clicked link.

Attempt 3: Using $click.value$ or $nd_value_token$

"Node or link text: The label value of the selected node, or the linktext of the selected link. Defaults to $nd_value_token$."

Luckily, the "value" of my nodes is always a MAC address and "linktext" of my links is always a 1- or 2-digit number (datatype string). So I can use regular expressions to determine what is clicked. I tried:

 

 

<drilldown>
    <eval token="click_type">if(match($nd_value_token$, "^[0-9]{1,2}$"), "is_link", "is_node")</eval>
</drilldown>

 

 

... It works, but this only gives me one token ($click_type$) with two possible values, but I need above mentioned two separate tokens.

I also tried (following this question😞

 

 

<panel>
  <viz type="network-diagram-viz.network-diagram-viz">
    <search>...</search>
    <drilldown>
      <condition match="match($click.value$, &quot;^\d{1,2}$&quot;)">
        <set token="is_link">true</set>
        <unset token="is_node"></unset>
      </condition>
      <condition match="WHAT_TO_PUT_HERE?">
        <unset token="is_link"></unset>
        <set token="is_node">true</set>
      </condition>
    </drilldown>
  </viz>
</panel>

 

 

... but I wouldn't know how to specify the match=... clause in the else branch. And I doubt that using match() in the match=... clause works at all. If I try this, clicking anywhere in the Network Diagram Viz takes me to a Splunk Search page - obviously something's wrong.

Any ideas?

Labels (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@rikinet - You were just an inch away from the answer. You can write condition instead of eval to match and set multiple tokens.

<drilldown>
  <condition match="match($nd_value_token$, &quot;^[0-9]{1,2}$&quot;)">
     <set token="is_link">1</set>
     <unset token="is_node"></unset>
  </condition>
  <condition>
     <unset token="is_link"></unset>
     <set token="is_node">1</set>
  </condition>
</drilldown>

 

I hope this helps!!! Kindly upvote if it does!! 

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@rikinet - You were just an inch away from the answer. You can write condition instead of eval to match and set multiple tokens.

<drilldown>
  <condition match="match($nd_value_token$, &quot;^[0-9]{1,2}$&quot;)">
     <set token="is_link">1</set>
     <unset token="is_node"></unset>
  </condition>
  <condition>
     <unset token="is_link"></unset>
     <set token="is_node">1</set>
  </condition>
</drilldown>

 

I hope this helps!!! Kindly upvote if it does!! 

0 Karma

rikinet
Path Finder

@VatsalJagani Thanks, it works now. I must have made some stupid typo before, but the idea was there at least...

However: This solution only works if the value (for nodes) and linkText follow distinct patterns, which makes them somehow distinguishable, e.g. using regex.

Is there a solution that works for any value and linkText values?

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@rikinet - Unfortunately no because the Visualization App does not provide support for different tokens. (I do not see an option in the documentation.)

 

Kindly accept the answer as it resolved your question.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...