Splunk Search

Is there an easy way to create a drilldown for an area chart?

pgort
New Member

I have a dashboard panel that shows the sum of outbound data where I want to click on a value and display the raw events making up that data point.

The search is:

| tstats allow_old_summaries=t sum(All_Traffic.bytes_out) AS sumSent FROM datamodel="Network_Traffic" WHERE nodename="All_Traffic",("All_Traffic.app:subcategory"="file-sharing" OR "All_Traffic.app:subcategory"="database"),(All_Traffic.action="allow" OR All_Traffic.action="alert"),(All_Traffic.dest_zone="outbound"),(dest_ip!=10.0.0.0/8 OR dest_ip!=172.16.0.0/12 OR dest_ip!=192.168.0.0/16 OR dest_ip!=169.254.0.0/16)  groupby _time All_Traffic.app span=10m | eval megabytes=round(((sumSent/1024)/1024),0) | timechart span=10m values(megabytes) AS MB by All_Traffic.app

Is there anything that will convert that to a Simple XML search string?

ex. Adding

    <drilldown target="_blank">
         <link>
               <![CDATA[
             /app/SplunkEnterpriseSecuritySuite/search?q=search%20$click.value2$
              ]]>
           </link>
     </drilldown>

opens a new search, but currently only passes the average of that data point on the graph. I don't understand the syntax to convert my tstats search into XML. It seems like there should be a better way to do this.

0 Karma

lguinn2
Legend

I suggest that you build a form as a custom target for your drilldown. Within the target form, you can write any search that you want - and plug in the click values from this dashboard panel. In your first dashboard, you reference the target form like this:

<link>
  <![CDATA[
     /app/search/yourCustomForm?form.time_token=$click.value$&form.appName=$click.name2$
]]>
</link>

Then in "yourCustomForm" you would use the time_token and the appName to actually retrieve the list of events - or whatever it is that you want to show when someone clicks. But at least this passes on the time and series that was clicked...

There is a section on Dynamic drilldown in dashboards and forms in the Dashboards and Visualizations manual. This is also where you can find the list of drilldown event tokens.

somesoni2
SplunkTrust
SplunkTrust

First thing that I observe is you're using $click.value2$ token which gives just the clicked value, not a fieldname or anything, your drilldown will not work. Even if you pass correct drilldown token (see this for full list) Since, your chart is generated from Data Model, it will not automatically show raw events on click. You would have to pass the search that you want to execute on drilldown and pass the filter value/field names from the chart.

0 Karma

pgort
New Member

So it would be as simple as adding

      <link>
            <![CDATA[
          /app/SplunkEnterpriseSecuritySuite/search?q=| datamodel Network_Traffic Allowed_Traffic search | search (All_Traffic.dest_zone="outbound") AND ("All_Traffic.app:subcategory"="file-sharing" OR "All_Traffic.app:subcategory"="database") AND NOT (All_Traffic.dest_ip=10.0.0.0/8 OR All_Traffic.dest_ip=172.16.0.0/12 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip=169.254.0.0/16)
           ]]>
        </link>
  </drilldown>

and then also passing the earliest/latest time parameter?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...