Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to drill down/ launch another search with parameter from results table in dashboard?

nicolasperrenou
Engager
‎07-28-2011 02:23 AM

Hi all. I have a advanced XML dashboard that shows me a table with some results from an web server access log search. When I click on a row, i want Splunk to open a new window and start a new search with a parameter from the search in the dashboard. More specifically, i want the new search to use the IP that I found in the base search and search in another type of log for that ip at the specific time. How can I achieve this (preferrably in a simple way)? This is mi first try, but the second search does not yet take the ip in consideration... Also the timerange needs to be changed, so that i find events that happen slightly before that log event. It would be cool if I simply could write something like

sourcetype="WebAuthLog" type="Login" ip=%ip% latest="%_time%" earliest="%_time%-1h"

So here is my code:

<view template="dashboard.html">
  <label>Test Dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">sourcetype="W3CAccessLogAdapter" method="POST" uri="/"</param>

      <module name="TimeRangePicker">
      <param name="searchWhenChanged">True</param>

      <module name="Paginator">
        <param name="entityName">events</param>
        <param name="count">50</param>

        <module name="SimpleResultsTable">
          <param name="displayRowNumbers">true</param>
          <param name="drilldown">row</param>
          <param name="entityName">events</param>
          <param name="fields">clientip, req_time</param>

          <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
            <param name="search">sourcetype="WebAuthLog" type="Login" </param>

            <module name="ConvertToDrilldownSearch">
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
                <param name="popup">true</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</view>

Thanks and best regards

Nicolas

Reply

thall79
Communicator
‎07-28-2011 01:52 PM

Have you tried creating another HiddenSearch module before your ViewRedirector. This should pass your click value down to that hidden search which will output to a new window with the view redirector.

For the time part need to play around a little.

travis.

Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...