Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help on dashboard drilldown

jip31
Motivator
‎10-28-2020 06:32 AM

Hello

 

As you can see below, I call a savedsearch in my dashboard and l link my table panel with a drilldown 

 

 

<form stylesheet="format.css">
  <label>Logon and reboot</label>...<fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="tok_filtersite" searchWhenChanged="true">
      <label>Site</label>
      <choice value="*">*</choice>
      <initialValue>*</initialValue>
    </input>
  </fieldset>

  <row>
    <panel>
      <title></title>
      <table>
        <title></title>
        <search>
          <query>| loadjob savedsearch="admin:TUTU_sh:Event - LogonReboot" 
| search Site=$tok_filtersite|s$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <link target="_blank">/app/TUTU_sh/event_monitoring__last_reboot_and_last_logon_details?Site=$tok_filtersite|s$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

 

The search there is in my drilldown is the same that exists in the savedsearch but there is just new fields in my stats command and also different token filters

I have 2 problems with my drilldown :

1) I need to improve performances because the search concerns the last 30 days

2) There is obviously a little gap in the events returned by the savedsearch and the results returned by the drilldown

My need is to have a drilldown with good performances and with the same perimeter of events than in the savedsearch

Is anybody can advice me please?

 

 

<form>
  <label>Event monitoring - Last reboot and last logon details</label>
  <fieldset submitButton="true">
    <input type="text" token="tok_filterhost" searchWhenChanged="true">
      <label>Hostname</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_reboot" searchWhenChanged="true">
      <label>Days without reboot</label>
      <default>=*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_logon" searchWhenChanged="true">
      <label>Days without logon</label>
      <default>=*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filtermodel" searchWhenChanged="true">
      <label>Model.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterbuilding" searchWhenChanged="true">
      <label>Building.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filteros" searchWhenChanged="true">
      <label>OS.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
    [| inputlookup host.csv 
    | table host] `LastLogonBoot` 
| fields host SystemTime EventCode 
| eval host=upper(host) 
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
| stats latest(SystemTime) as SystemTime by host EventCode 
| xyseries host EventCode SystemTime 
| rename "6005" as LastLogon "6006" as LastReboot 
| eval NbDaysLogon=round((now() - LastLogon)/(3600*24), 0) 
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
| eval LastLogon=strftime(LastLogon, "%y-%m-%d %H:%M") 
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
| search NbDaysLogon$tok_logon$ 
| search NbDaysReboot$tok_reboot$ 
| lookup lookup_patch "Computer" as host output FileName 
| lookup fo_all HOSTNAME as host output SITE COUNTRY TOWN ROOM BUILDING_CODE DESCRIPTION_MODEL MANUFACTURER_NAME OS 
| search SITE=$Site$ 
| search NbDaysReboot &gt;= 15 AND NbDaysLogon &gt;= 15 
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(LastLogon) as "Last logon date", last(NbDaysLogon) as "Days without logon", last(MANUFACTURER_NAME) as Manufacturer, last(DESCRIPTION_MODEL) as Model, last(OS) as OS, last(FileName) as "Patch level", last(COUNTRY) as Country, last(TOWN) as Town, last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room by host 
| rename host as Hostname 
| search Building=$tok_filterbuilding$ 
| search Model=$tok_filtermodel$ 
| search Hostname=$tok_filterhost$ 
| search OS=$tok_filteros$
| sort -"Days without logon" -"Days without reboot"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

 

 

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...