Splunk Search

How To Make a Table Row Expansion with different searches for each row in a new table?

danielgp89
Path Finder

Hello!

I'm trying to make a drilldown in the same dashboard with the famous Table Row Expansion. Basing myself in the Splunk Dashboard Example App, I see an example but that one doesn't work for me, because that search only goes for a field that calls "sourcetype" and could works with all the raws because they use the same fields.

But in my case each raw has different searches with different fields, let me do an Example:

This is my Table:

alt text

The thing that I'm looking for is when I clic the ALTUSER table raw this one expands down another table with this values:

index=mf MFSOURCETYPE=SMF080 SYSNAME=$field2$ RACF_Command=$RACF1$ |stats count by ALTUSER_Keyword_Specified ALTUSER_User_ID SMF80USR SMF80GRP USER_NAME_FROM_ACEE |rename "ALTUSER_Keyword_Specified" as "Actividad" ALTUSER_User_ID as "Usuario Afectado" SMF80USR as "Usuario Responsable" SMF80GRP as "Grupo" USER_NAME_FROM_ACEE as "Nombre" count as "Total De Eventos" |sort -count

And When I clic the CONNECT table Raw this one expands down another table with this values

index=mf MFSOURCETYPE=SMF080 SYSNAME=$field2$ RACF_Command=$RACF1$ |stats count by CONNECT_Keyword_specified CONNECT_Group_name_(GROUP_keyword) CONNECT_User_ID SMF80USR USER_NAME_FROM_ACEE USER_TOKEN_GROUP |rename CONNECT_Keyword_specified as "CONNECT TYPE" CONNECT_Group_name_(GROUP_keyword) as "A GRUPO CONECTADO" CONNECT_User_ID as "USER CONECTADO" SMF80USR as "USER RESPONSABLE" USER_NAME_FROM_ACEE as "NOMBRE DE USUARIO" USER_TOKEN_GROUP AS "GRUPO DE USUARIO" count as "TOTAL DE EVENTOS" |sort -"TOTAL DE EVENTOS"

As You can see the fields are different so I can't have the same table working for each raw with the token drilldown option.

I tried to use the token option with the set:

alt text

But when I clic some of the values in the raw it appears all the tables! So that doesn't work either.

So in the case it can't work with the table raw expansion, How Can I do when I clic ALTER raw, it appear a new table in another panel with the ALTER values, and when I clic CONNECT raw, the ALTER panel disappear and appear another one with the CONNECT values.

Hope You can Help me!

BEST Regards!!!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...