Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

condition drilldown - with link target

anissabnk
Path Finder
3 weeks ago

Hello,

I want to make a drilldown with those services : and I have to apply a drilldow for (s3-bucket / vpc / ec2)

anissabnk_1-1733508835150.png

 

I've tried several things but nothing works

 

<row>
<panel>
<title>AWS Services Monitoring</title>
<table>
<search>
<!--done>
<set token="Services">$click.name$</set>
</done-->
<query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*"
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
|search Services!=Other
| lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name
| table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime
| dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check"
|fillnull value="N/A"
|search $ResourceName$ $Services$ $Status$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<option name="wrap">true</option>
<format type="color" field="Status">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<drilldown>
<condition match="$Services$ != &quot;s3-bucket&quot;">
<set token="Services">s3-bucket</set>
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;S3_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link>
</condition>

<condition match="$Services$ != &quot;vpc&quot;">
<set token="Services">vpc</set>
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;VPC_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link>
</condition>

<condition match="$Services$ != &quot;ec2&quot;">
<set token="Services">ec2</set>
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;EC2_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link>
</condition>
</drilldown>
</table>
</panel>
</row>

 

The drilldown is supposed to ‘point’ to a second dashboard in the following way:

 </panel>
<panel depends="$VPC_details$">
<title>VPC DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$EC2_details$">
<title>EC2 DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$SERVICES_details$">
<title>SERVICES DETAILS : ShortConfigRuleName=$ShortConfigRuleName$ Service=$Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
</row>

 

When s3-bucket is selected, we point to the ‘S3_details’ panel, and so on

The link target works fine, but it's the click value at the beginning with the service selection that doesn't work

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

Why did you do that? That's different to what you originally posted as well as changing the != to ==

Your original posted attempt was this

<condition match="$row.Services$ != &quot;vpc&quot;">

You just tried this

<condition match="$Services$ == &quot;vpc&quot;"> </condition>

 You changed both the match token AND the comparator.

You only need to change the comparator - it works fine.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

Do you mean in the second dashboard, there are inputs which are not selected as you wanted?

If so, it's probably because the input token is named form.xxx, so if your input dropdown for Services is the token ShortConfigRuleName, then you should pass the URL with

form.ShortConfigRuleName=$row.ShortConfigRuleName$
0 Karma
Reply
Solved! Jump to solution

anissabnk
Path Finder
3 weeks ago

Hello,

Than your for your answer but it doesn't work.

panel 1 :

<row>
<panel>
<title>AWS Services Monitoring</title>
<table>
<search>
<!--done>
<set token="Services">$click.name$</set>
</done-->
<query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*"
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
|search Services!=Other
| lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name
| table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime
| dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check"
|fillnull value="N/A"
|search $ResourceName$ $Services$ $Status$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<option name="wrap">true</option>
<format type="color" field="Status">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<drilldown>
<condition match="$row.Services$ != &quot;s3-bucket&quot;">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;S3_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link>
</condition>
<condition match="$row.Services$ != &quot;vpc&quot;">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;VPC_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link>
</condition>
<condition match="$row.Services$ != &quot;ec2&quot;">
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;EC2_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link>
</condition>
</drilldown>
</table>
</panel>
</row>

panel 2:

<row>
<panel depends="$S3_details$">
<title>S3 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$VPC_details$">
<title>VPC DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$EC2_details$">
<title>EC2 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
<panel depends="$SERVICES_details$">
<title>SERVICES DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title>
<table>
<search>
<query>index="aws_vpc_corp-it_security-prd"
| search ShortConfigRuleName=$ShortConfigRuleName$
|search AccountId=$AccountId$
|search ComplianceType=$Status$
| eval Services = case(
match(ShortConfigRuleName, "s3-bucket"), "s3-bucket",
match(ShortConfigRuleName, "iam-password"), "iam-password",
match(ShortConfigRuleName, "iam-policy"), "iam-policy",
match(ShortConfigRuleName, "iam-user"), "iam-user",
match(ShortConfigRuleName, "guardduty"), "guardduty",
match(ShortConfigRuleName, "ec2"), "ec2",
match(ShortConfigRuleName, "vpc"), "vpc",
match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot",
match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots",
match(ShortConfigRuleName, "cloudtrail"), "cloudtrail",
match(ShortConfigRuleName, "subnet"), "subnet",
match(ShortConfigRuleName, "lambda-function"), "lambda-function",
1=1, "Other")
| where ResourceName!="N/A"
| table AccountId ResourceName Services ComplianceType
|rename ResourceName as "InstanceName"
| table AccountId Services ComplianceType
| dedup AccountId Services ComplianceType
|appendcols
[ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$
|table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State]
| table AccountId Services ComplianceType InstanceId InstanceName Platform State</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="ComplianceType">
<colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette>
</format>
<format type="color" field="State">
<colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette>
</format>
<drilldown>
<condition>
<!-- Vérifiez que le filtre correspond exactement au service sélectionné -->
<eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval>
<eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval>
<eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval>
</condition>
</drilldown>
</table>
</panel>
</row>

But it does'nt work, when I select the vpc filter, I arrive at the S3_details view, instead of arriving at VPC_details when I select the s3-bucket filter, I go to VPC_details instead of S3_details
when I select the ec2 filter, I end up on S3_details instead of EC2_details 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

Look at your condition match statements, e.g. your first one does

<condition match="$row.Services$ != &quot;s3-bucket&quot;">

and then it sets S3_details="true"

same for VPC and the other. So you probably want to change your matches to = rather than !=

0 Karma
Reply
Solved! Jump to solution

anissabnk
Path Finder
3 weeks ago 
<condition match="$Services$ == &quot;vpc&quot;"> </condition>
<!--eval token="VPC_details">if(match($Services$, "vpc"), "true", "false")</eval>

<set token="VPC_details"></set>
<unset token="S3_details"></unset>
<unset token="EC2_details"></unset-->
<condition>
<link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;VPC_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link>

</condition>



I tried this but it doesn't work

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

Why did you do that? That's different to what you originally posted as well as changing the != to ==

Your original posted attempt was this

<condition match="$row.Services$ != &quot;vpc&quot;">

You just tried this

<condition match="$Services$ == &quot;vpc&quot;"> </condition>

 You changed both the match token AND the comparator.

You only need to change the comparator - it works fine.

0 Karma
Reply
Solved! Jump to solution

anissabnk
Path Finder
2 weeks ago

This : <condition match="$row.Services$ == &quot;s3-bucket&quot;"> works fine

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...