Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Drilldown Token from Single Value Panel to Stats Table Panel

ramuzzini
Path Finder
‎10-21-2024 02:15 PM

Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "winevent" logs for user accounts (created, enabled, disabled, deleted, etc...)  Current search I have for my various Single Value panel using the stats command in my search is seen below. (for this example, I used the win event code 4720 to count of "User Account Created" on the network) and extracted the EventCode.

Acct Enable: index="wineventlog " EventCode=4720
| dedup user
| _rex=field _raw "(?m)EventCode=(?<eventcode>[\S]*)"
| stats count

Output gives me a Single Value Count for window event codes that = 4720 ignoring duplicate user records.   

I am now trying to capture the extracted "eventcode" using a drilldown in a token for each respective count panel.  I have setup the token as:

(Set $token_eventcode$ = $click.value$)

in my drill down editor in my second query table.  Using that token, I want to display the respective records in a second query panel to display the record(s) info in a table as seen below:   

Acct Enable: index="wineventlog " EventCode=$token_eventcode$

| table _time, user, src_user, EventCodeDescription

As I am still learning how to use the rex command, having problems in this instance in capturing the EventCode from the _raw logs, setting it to the ($token_eventcode$) token in the Single Value County query and passing that value down through a token to the table while maintaining the stats count value. 

Any assistance with be greatly appreciated.

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2024 11:04 PM

Hi @ramuzzini ,

sorry but there's a thing that I don't understand:

if you forced the EventCode = 4720, why you extracted the eventcode from your results? you can have only one result EventCode = 4720.

if the EventCode=4720 is fixed and you want to pass this EventCode to the drilldown you can insert it in the drilldown row:

(Set $token_eventcode$ = 4720

otherwise, you could modify your search in the Single Value:

Acct Enable: index="wineventlog " EventCode=4720
| stats count BY EvenCode

in this way you have the EventCode value to pass using drilldown, even if, as I said, you don't need it.

If instead the issue is that the EventCode=4720 is passed using an input, so it can change, you can use my second solution or using the input token value in the drilldown

(Set $token_eventcode$ = $input_token$

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...