Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change destination search clicking on a pie report

pinzer
Path Finder
‎10-20-2010 10:16 AM

Hi all, i need to change the destination of a report when clicking on the pie slice of a pie report.

the query that i'm using to create the pie is this:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"| eval IP=case(sourcetype=="webseal_access", IP_Source, sourcetype=="wmi:wineventlog:security", Source_Network_Address) | search [search eventtype="searchIPS2" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP] | stats count by IP | sort count desc

It show a pie divided by IP with the count for each IP. clicking on the slice of the pie it show the same query in another window with added IP="1.2.3.4". I need to insert automatically "| where " in this query before the IP="1.2.3.4"

Thanks to all who can help me

0 Karma
Reply

meenal901
Communicator
‎08-11-2015 03:39 AM

Hi,

You can use drilldown tag to link to another page and use a new query. Here is an example for _internal logs, you can modify for your data:

Dashboard-1: Pie chart:

pie

<panel>
  <chart>
    <searchString>index=_internal | stats count by sourcetype</searchString>
    <earliestTime>-4h@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
    <drilldown target="My new window">

      <link>pie_drilldown?sourcetype=$click.value$</link>
    </drilldown> 
  </chart>
</panel>

Dashboard-2: Drilldown

$sourcetype$
pie_drilldown

<panel>

  <table>
    <title>Showing results for $sourcetype$ </title>  
    <searchString>index=_internal |search sourcetype=$sourcetype$| stats count by source,host</searchString>
    <earliestTime>-4h@m</earliestTime>
    <latestTime>now</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...