Splunk Enterprise

help on dashboard drilldown

jip31
Motivator

Hello

 

As you can see below, I call a savedsearch in my dashboard and l link my table panel with a drilldown 

 

 

<form stylesheet="format.css">
  <label>Logon and reboot</label>...<fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="tok_filtersite" searchWhenChanged="true">
      <label>Site</label>
      <choice value="*">*</choice>
      <initialValue>*</initialValue>
    </input>
  </fieldset>

  <row>
    <panel>
      <title></title>
      <table>
        <title></title>
        <search>
          <query>| loadjob savedsearch="admin:TUTU_sh:Event - LogonReboot" 
| search Site=$tok_filtersite|s$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <link target="_blank">/app/TUTU_sh/event_monitoring__last_reboot_and_last_logon_details?Site=$tok_filtersite|s$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

 

The search there is in my drilldown is the same that exists in the savedsearch but there is just new fields in my stats command and also different token filters

I have 2 problems with my drilldown :

1) I need to improve performances because the search concerns the last 30 days

2) There is obviously a little gap in the events returned by the savedsearch and the results returned by the drilldown

My need is to have a drilldown with good performances and with the same perimeter of events than in the savedsearch

Is anybody can advice me please?

 

 

<form>
  <label>Event monitoring - Last reboot and last logon details</label>
  <fieldset submitButton="true">
    <input type="text" token="tok_filterhost" searchWhenChanged="true">
      <label>Hostname</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_reboot" searchWhenChanged="true">
      <label>Days without reboot</label>
      <default>=*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_logon" searchWhenChanged="true">
      <label>Days without logon</label>
      <default>=*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filtermodel" searchWhenChanged="true">
      <label>Model.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterbuilding" searchWhenChanged="true">
      <label>Building.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filteros" searchWhenChanged="true">
      <label>OS.</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
    [| inputlookup host.csv 
    | table host] `LastLogonBoot` 
| fields host SystemTime EventCode 
| eval host=upper(host) 
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
| stats latest(SystemTime) as SystemTime by host EventCode 
| xyseries host EventCode SystemTime 
| rename "6005" as LastLogon "6006" as LastReboot 
| eval NbDaysLogon=round((now() - LastLogon)/(3600*24), 0) 
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
| eval LastLogon=strftime(LastLogon, "%y-%m-%d %H:%M") 
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
| search NbDaysLogon$tok_logon$ 
| search NbDaysReboot$tok_reboot$ 
| lookup lookup_patch "Computer" as host output FileName 
| lookup fo_all HOSTNAME as host output SITE COUNTRY TOWN ROOM BUILDING_CODE DESCRIPTION_MODEL MANUFACTURER_NAME OS 
| search SITE=$Site$ 
| search NbDaysReboot &gt;= 15 AND NbDaysLogon &gt;= 15 
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(LastLogon) as "Last logon date", last(NbDaysLogon) as "Days without logon", last(MANUFACTURER_NAME) as Manufacturer, last(DESCRIPTION_MODEL) as Model, last(OS) as OS, last(FileName) as "Patch level", last(COUNTRY) as Country, last(TOWN) as Town, last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room by host 
| rename host as Hostname 
| search Building=$tok_filterbuilding$ 
| search Model=$tok_filtermodel$ 
| search Hostname=$tok_filterhost$ 
| search OS=$tok_filteros$
| sort -"Days without logon" -"Days without reboot"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

 

 

 

Tags (1)
0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...