I have a dashboard panel that shows the sum of outbound data where I want to click on a value and display the raw events making up that data point.
The search is:
| tstats allow_old_summaries=t sum(All_Traffic.bytes_out) AS sumSent FROM datamodel="Network_Traffic" WHERE nodename="All_Traffic",("All_Traffic.app:subcategory"="file-sharing" OR "All_Traffic.app:subcategory"="database"),(All_Traffic.action="allow" OR All_Traffic.action="alert"),(All_Traffic.dest_zone="outbound"),(dest_ip!=10.0.0.0/8 OR dest_ip!=172.16.0.0/12 OR dest_ip!=192.168.0.0/16 OR dest_ip!=169.254.0.0/16) groupby _time All_Traffic.app span=10m | eval megabytes=round(((sumSent/1024)/1024),0) | timechart span=10m values(megabytes) AS MB by All_Traffic.app
Is there anything that will convert that to a Simple XML search string?
<drilldown target="_blank"> <link> <![CDATA[ /app/SplunkEnterpriseSecuritySuite/search?q=search%20$click.value2$ ]]> </link> </drilldown>
opens a new search, but currently only passes the average of that data point on the graph. I don't understand the syntax to convert my tstats search into XML. It seems like there should be a better way to do this.
I suggest that you build a form as a custom target for your drilldown. Within the target form, you can write any search that you want - and plug in the click values from this dashboard panel. In your first dashboard, you reference the target form like this:
<link> <![CDATA[ /app/search/yourCustomForm?form.time_token=$click.value$&form.appName=$click.name2$ ]]> </link>
Then in "yourCustomForm" you would use the
time_token and the
appName to actually retrieve the list of events - or whatever it is that you want to show when someone clicks. But at least this passes on the time and series that was clicked...
First thing that I observe is you're using $click.value2$ token which gives just the clicked value, not a fieldname or anything, your drilldown will not work. Even if you pass correct drilldown token (see this for full list) Since, your chart is generated from Data Model, it will not automatically show raw events on click. You would have to pass the search that you want to execute on drilldown and pass the filter value/field names from the chart.
So it would be as simple as adding
<link> <![CDATA[ /app/SplunkEnterpriseSecuritySuite/search?q=| datamodel Network_Traffic Allowed_Traffic search | search (All_Traffic.dest_zone="outbound") AND ("All_Traffic.app:subcategory"="file-sharing" OR "All_Traffic.app:subcategory"="database") AND NOT (All_Traffic.dest_ip=10.0.0.0/8 OR All_Traffic.dest_ip=172.16.0.0/12 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip=169.254.0.0/16) ]]> </link> </drilldown>
and then also passing the earliest/latest time parameter?