Splunk Search

How to create a drilldown pass the data in the legend of a timechart?

KindaWorking
Path Finder

I am relatively new to all things splunk.
I am trying to set up a timechart that will pass a value onto another input. I can pass through $click.value$ fine along with $click.value2$. However in a time chart, that passes either the date or the count. I want it to send through the data sitting in the legend.

<drilldown>
  <set token="form.Address1">$click.value$</set>
  <set token="Address1">$click.value$</set>
</drilldown>

What can I use instead of $click.value$?

EDIT: More clarification. I am tracking the use of IP addresses. I have a search (see below) that will timechart which IP address performed a particular search over time.

   ...|timechart count by IPAddress

I then would like to pass through via drilldown which IP address I clicked on.
$click.value$ passes through the date(x axis). $click.value2$ passes through the count (y axis). How do I pass through the IP address instead?

Screenshot showing more what I want to passthrough:
-I do not have enough Karma to attach an image-
Pretty much, when you click on a colored line in the timechart, I want to pass through (via drilldown) the data in the legend (in this case the IP address).

0 Karma
1 Solution

KindaWorking
Path Finder

$click.name2$ is what I needed.

$click.name$ passes through _time where $click.name2$ passes through the data sitting on the legend for what you clicked on (however it does NOT work when you actually click on the legend).

More information here:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#chart_.28event_...

View solution in original post

KindaWorking
Path Finder

$click.name2$ is what I needed.

$click.name$ passes through _time where $click.name2$ passes through the data sitting on the legend for what you clicked on (however it does NOT work when you actually click on the legend).

More information here:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#chart_.28event_...

jayannah
Builder

Need more clarification... your query, sample output and what you want pass would help us to provide the answer correctly.

0 Karma

KindaWorking
Path Finder

Sorry mate. I edited the question for a bit more info. Thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...