Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Drilldown Token from Single Value Panel to Stats Table Panel

ramuzzini
Path Finder
Monday

Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "winevent" logs for user accounts (created, enabled, disabled, deleted, etc...)  Current search I have for my various Single Value panel using the stats command in my search is seen below. (for this example, I used the win event code 4720 to count of "User Account Created" on the network) and extracted the EventCode.

Acct Enable: index="wineventlog " EventCode=4720
| dedup user
| _rex=field _raw "(?m)EventCode=(?<eventcode>[\S]*)"
| stats count

Output gives me a Single Value Count for window event codes that = 4720 ignoring duplicate user records.   

I am now trying to capture the extracted "eventcode" using a drilldown in a token for each respective count panel.  I have setup the token as:

(Set $token_eventcode$ = $click.value$)

in my drill down editor in my second query table.  Using that token, I want to display the respective records in a second query panel to display the record(s) info in a table as seen below:   

Acct Enable: index="wineventlog " EventCode=$token_eventcode$

| table _time, user, src_user, EventCodeDescription

As I am still learning how to use the rex command, having problems in this instance in capturing the EventCode from the _raw logs, setting it to the ($token_eventcode$) token in the Single Value County query and passing that value down through a token to the table while maintaining the stats count value. 

Any assistance with be greatly appreciated.

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Monday

Hi @ramuzzini ,

sorry but there's a thing that I don't understand:

if you forced the EventCode = 4720, why you extracted the eventcode from your results? you can have only one result EventCode = 4720.

if the EventCode=4720 is fixed and you want to pass this EventCode to the drilldown you can insert it in the drilldown row:

(Set $token_eventcode$ = 4720

otherwise, you could modify your search in the Single Value:

Acct Enable: index="wineventlog " EventCode=4720
| stats count BY EvenCode

in this way you have the EventCode value to pass using drilldown, even if, as I said, you don't need it.

If instead the issue is that the EventCode=4720 is passed using an input, so it can change, you can use my second solution or using the input token value in the drilldown

(Set $token_eventcode$ = $input_token$

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...

Splunk and Fraud

Join us on November 13 at 11 am PT / 2 pm ET!Join us for an insightful webinar where we delve into the ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...