Splunk Search

help on a pie slice with drilldown

jip31
Motivator

Hi

I use the search below in order to display a pie chart and to change the label of each pie slice

 

 

 `CPU` 
| fields process_cpu_used_percent host process_name 
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc" OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI")
| stats count by process_name

 

 By clicking on a pie slice, I open a drilldown in order to display the events related to the pie slice 

So I have added the advanced parameters 

 

process_name = $click.value$
host = $tok_filterhost$

 

What is strange is that when I click on the "WMI" pie slice, I can display events in the drillwon but when I click on the "McAFEE" pie slice, I am not able to display events

What is wrong please??

Labels (1)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@jip31 

It's not clear how your drilldown tokens are being set, as that must be in a separate dashboard, but what I can see in that example is the line

search process_name=$process_name$ 

but if that token has a value that contains spaces, then it will be like doing

| search process_name=MS Telemetry

and your process name will never be = "MS"

When you use tokens that may contain spaces, you should either do

| search process_name="$process_name$"

OR

| search process_name=$process_name|s$

which will ensure you are quoting the token value.

 

 

View solution in original post

0 Karma

jip31
Motivator

Is anybody can't help?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You responded "perfect, many thanks!!!" so presumably something worked? What is the issue?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It looks like you have converted a lot of process names to McAFEE. When you do the drill down, do you convert McAFEE back to a list of possible process names?

jip31
Motivator

I have converse all sécurity processes to McAfee...

No in the driildown i use the same eval process_name than in the search form

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Can you post your dashboard panel details - much easier to diagnose with all the information - how are you using the $process_name$ token in your subsequent search?

 

0 Karma

jip31
Motivator

here is the xml

 

<dashboard>
  <label>CPU detail avec case</label>
  <row>
    <panel>
      <table>
        <search>
          <query>
    `CPU` 
| fields process_cpu_used_percent host process_name 
| eval time = strftime(_time, "%m/%d/%Y %H:%M") 
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc" OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI", process_name=="conhost", "CMD Windows console", process_name=="csrss" OR process_name=="System" OR process_name=="TiWorker" OR process_name=="msfeedssync" OR process_name=="msiexec" OR process_name=="rundll32" OR process_name=="services" OR process_name like "svchost%" OR process_name=="OneDriveSetup" OR process_name=="poqexec" OR process_name=="unsecapp" OR process_name=="TabTip" OR process_name=="Memory_Compression" OR process_name=="SetupHost" OR process_name=="WerFault" OR process_name=="explorer" OR process_name=="mscorsvw" OR process_name=="sppsvc" OR process_name=="ngen" OR process_name=="spoolsv" OR process_name=="SrTasks" OR process_name=="policyHost" OR process_name=="dwm" OR process_name=="perf-test-9c" OR process_name like "SearchProtocolHost%" OR process_name like "RuntimeBroker%" OR process_name like "LogonUI%", "Windows native process", process_name=="taskhost", "Tasks scheduler", process_name like "powershell%", "Powershell", process_name=="WINWORD", "Word", process_name=="chrome", "Chrome", process_name=="OUTLOOK", "Outlook", process_name like "CompatTelRunner%", "MS Telemetry", process_name like "iexplore%", "IE Explorer") 
| search host=$host$ 
| search process_name=$process_name$ 
| stats values(_time) as _time, latest(process_cpu_used_percent) as "CPU used (%)" by host process_name 
| eval "CPU used (%)"=round('CPU used (%)', 2)."%" 
| sort -_time 
| eval "CPU alert time" = strftime(_time, "%m/%d/%Y %H:%M") 
| rename host as Hostname, process_name as "Process name" 
| table "CPU alert time" Hostname "Process name" "CPU used (%)"</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>
Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@jip31 

It's not clear how your drilldown tokens are being set, as that must be in a separate dashboard, but what I can see in that example is the line

search process_name=$process_name$ 

but if that token has a value that contains spaces, then it will be like doing

| search process_name=MS Telemetry

and your process name will never be = "MS"

When you use tokens that may contain spaces, you should either do

| search process_name="$process_name$"

OR

| search process_name=$process_name|s$

which will ensure you are quoting the token value.

 

 

0 Karma

jip31
Motivator

I have spoken too fast...

its very strange now it works for WMI and Windows native process but for example not for MS Telemetry!

0 Karma

jip31
Motivator

perfect, many thanks!!!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It sounds like you might have a problem with your drilldown query but it is difficult to be certain without further information

0 Karma

jip31
Motivator

Sorry...

in fact, it works just for 

I have spoken too fast...

its very strange now it works for WMI and Windows native process but for example not for MS Telemetry!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...