Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help on dashboard drilldown

jip31
Motivator
‎10-28-2020 06:32 AM

Hello

 

As you can see below, I call a savedsearch in my dashboard and l link my table panel with a drilldown 

 

 

<form stylesheet="format.css">
  <label>Logon and reboot</label>...<fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="tok_filtersite" searchWhenChanged="true">
      <label>Site</label>
      <choice value="*">*</choice>
      <initialValue>*</initialValue>
    </input>
  </fieldset>

  <row>
    <panel>
      <title></title>
      <table>
        <title></title>
        <search>
          <query>| loadjob savedsearch="admin:TUTU_sh:Event - LogonReboot" 
| search Site=$tok_filtersite|s$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <link target="_blank">/app/TUTU_sh/event_monitoring__last_reboot_and_last_logon_details?Site=$tok_filtersite|s$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

 

The search there is in my drilldown is the same that exists in the savedsearch but there is just new fields in my stats command and also different token filters

I have 2 problems with my drilldown :

1) I need to improve performances because the search concerns the last 30 days

2) There is obviously a little gap in the events returned by the savedsearch and the results returned by the drilldown

My need is to have a drilldown with good performances and with the same perimeter of events than in the savedsearch

Is anybody can advice me please?

 

 

<form>
  <label>Event monitoring - Last reboot and last logon details</label>
  <fieldset submitButton="true">
    <input type="text" token="tok_filterhost" searchWhenChanged="true">
      <label>Hostname</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_reboot" searchWhenChanged="true">
      <label>Days without reboot</label>
      <default>=*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_logon" searchWhenChanged="true">
      <label>Days without logon</label>
      <default>=*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filtermodel" searchWhenChanged="true">
      <label>Model.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterbuilding" searchWhenChanged="true">
      <label>Building.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filteros" searchWhenChanged="true">
      <label>OS.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
    [| inputlookup host.csv 
    | table host] `LastLogonBoot` 
| fields host SystemTime EventCode 
| eval host=upper(host) 
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
| stats latest(SystemTime) as SystemTime by host EventCode 
| xyseries host EventCode SystemTime 
| rename "6005" as LastLogon "6006" as LastReboot 
| eval NbDaysLogon=round((now() - LastLogon)/(3600*24), 0) 
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
| eval LastLogon=strftime(LastLogon, "%y-%m-%d %H:%M") 
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
| search NbDaysLogon$tok_logon$ 
| search NbDaysReboot$tok_reboot$ 
| lookup lookup_patch "Computer" as host output FileName 
| lookup fo_all HOSTNAME as host output SITE COUNTRY TOWN ROOM BUILDING_CODE DESCRIPTION_MODEL MANUFACTURER_NAME OS 
| search SITE=$Site$ 
| search NbDaysReboot &gt;= 15 AND NbDaysLogon &gt;= 15 
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(LastLogon) as "Last logon date", last(NbDaysLogon) as "Days without logon", last(MANUFACTURER_NAME) as Manufacturer, last(DESCRIPTION_MODEL) as Model, last(OS) as OS, last(FileName) as "Patch level", last(COUNTRY) as Country, last(TOWN) as Town, last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room by host 
| rename host as Hostname 
| search Building=$tok_filterbuilding$ 
| search Model=$tok_filtermodel$ 
| search Hostname=$tok_filterhost$ 
| search OS=$tok_filteros$
| sort -"Days without logon" -"Days without reboot"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

 

 

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...