SPLK-1003 Splunk Enterprise Certified Admin – Splunk Inbuilt & Advanced Visualizations Part 2

5. Dashboard Filters: Dynamic Filters

In our previous discussion where we have created multiple filters that are text box, drop down and time filter. Now we’ll see how to make these filters dynamic. The best example for a dynamic filter would be your drop down. So let us see how we can create it. We know by now will add a filter, we’ll click on edit function or we’ll get into edit mode of the dashboards and click on Add Input. Choose the drop down, click the pencil icon. Here you’ll get the edit function where we’ll choose it as drop down for selecting source. And this is as part of our dynamic filtering example.

You can check on search on change so that as soon as you select the IP which you want to search for it will automatically reload the dashboards which are impacted. This will be I’ll give it a name called Dynamic, the token name and I will add one static value so that it looks or presentable which makes it more useful like while presenting so that you have a default option to add or display all values that is star. As soon as your dashboard loads, it need not wait for your dynamic fields or the dynamic values of the filter to build upon. So we will add a static value that is all star. And here I’ll write a small search query that is index is equal to main. It’s better if we write it here. Index is equal to main.

I’ll get all the different IPS that are for last 30 days. So I’ll deed up. This is used to remove the duplicates of your field called client IP which holds the visitor’s IP address on our website. Once you have deduct all the client IPS that are you have removed all the duplicates. I’ll just create a table with only one field that is my client IP. As you can see I’ve got 182 distinct IP addresses and these are listed as part of a table which are all unique. I’ll copy this search and I’ll paste it in my dynamic options where you can run as part of search or if you have a report.

As we know, we have a report that created as part of our previous tutorials that is active users in a month. So it can extract these fields from the search that are run using the report. But for simplicity purpose of this tutorial, we’ll be using the search that we have just created that is mentioning only the client IPS for last 30 day period. What should be the label for this field? When I say label, it is the description like all that is we have given to our static option. This would be the best example to explain where your label is. All value is star. Here what we’ll do is we’ll give the label as the client IP itself so that we will know the IP which is being passed for the value. Let me click on apply. Then you will be able to get a clear picture of what is a label and what is value apply. As you can see, our search is running. It was populating, now it has completed. Let me click on save. We have all option, that is our static and as you can see all this dynamic that is 182 unique IPS are as part of our drop down list. So here you can probably type any IP address and you can choose them one by one. Click on submit. The respective panel will reload.

This is one example of creating dynamic filters. So let me finish our filter. As part I’ll choose the default value as all and I’ll copy this token to pass it to our panels. This is from our previous token usage. We understand that token should be enclosed with a dollar symbol in order to get the values. Once we refresh, this should be able to fix. We will edit all the options so that we can refresh at once. As you can see, this is the field name where we are looking for an IP address that has been passed by our newly created dynamic filter. Similar way you can edit this using XML. Also if you click on Source, you’ll get an XML source where you can mention all these IP addresses. Here I’ll choose all for starting so that the star value has been passed. Let me reload this. So once we have reloaded, we should be able to see our dynamic filters which are being populated and then it has been passed default value all as part of our Dashboard filtering. Let’s say I need to look for one specific IP which is part of my dynamic filter. I’ll choose one of them. As you can see, all the panels will get refreshed so that we have only IP listed from that source. 1 second I think there has been editing mistake where only one filter is getting filtered. Okay, this should be present before any other command, that is before our IP location and the top command. So once we add this, it should be automatically filtered. We’ll be understanding more about this search processing language and the syntax as part of a separate module where we’ll go through all the 142 or 141 commands that exist as part of our Dashboard. Now let us choose some other IP address. As you can see, all our Dashboards refreshes and gives us the details as per the selected specific IP address. So these are some of the options in which you can create your dynamic filters using a search query or using a report functionality.

6. Dashboard Drill down Example

In this module we will be seeing more about the drill down features and how we can enhance the dashboards that we have created as part of our previous modules to narrow down the events which are generated by these IP addresses or the host names or any criteria which we use to to drill down. Or we can say something as narrowing down the cause of the issue. We’ll see how Splunk dashboards can be enhanced so that without writing additional search queries, it can drill down from one dashboard to another dashboard or another search results where it can give much more information about the events. As part of this module, we’ll see what is a drill down feature, that is a narrowing down for the cause, or narrowing down our intended result that we are supposed to find, and how to configure this drill down feature and how to pass a row value or a column value. Now, let us say as part of our previous modules, we have created a couple of dashboards or demo dashboard that is here. We can see there are multiple panels. These panels will be having rows and columns. Let’s say this row, you need to pass this value to another dashboard, or when you click this, it should drill down.

To give you more information about this IP. Let’s say I need to see what all the pages accessed by this IP address or actual raw logs that are generated by this IP address. So as soon as you click this, this will be automatically passed to next dashboards and you’ll be able to narrow down much further. By the end of this tutorial, you’ll be aware how this drill down feature can be configured and how this feature can add value into your investigation, that is passing the row values and column values. And you can also pass this values as part of the same dashboard. Let’s say as soon as I click here the same dashboard, without entering any details here, this dashboard should reload. We can also do that saying that when I click this icon here or the IP address here, pass this value into the same dashboards and this dashboard should be able to rerun again. And one more is once I click this or select this IP address, it should reload or pass it into a different dashboard where further analysis is carried upon. So these are some of the concept that we should be able to cover as part of this video.

For the purpose of demonstrating this, I have created one more dashboard named as drill down. This is the dashboard for the demonstration purpose I’ve created. No need to worry, these dashboards will be available when you are accessing the lab so that you’ll be able to see what all this dashboard contains and how we are configured and how we have enabled the drill down. As you can see, this dashboard has two filters. It says get value from the previous dashboard. We’ll see how we can send the values that are selected by our mouse click on this chart into these dashboards. That is one for a text value. The second one is your drop down. You can send it to both. And the third panel is your complete information of the logs or the raw event consisting the specified source IP. And here it gives you a total number of events generated by the IP that we got from the previous dashboard. So we will see how to configure drill down.

7. Dashboard Drilldown Configuration

In order to configure drill down, go to edit mode in your dashboard. Once you are inside edit mode, there are two ways to configure drill down either directly by editing XML or using your web console. We’ll see once creating using a web console and we will see what entry has been generated as part of our XML. In order to configure a drill down, choose whichever the panel you would like. To enable the drill down option, click on this three symbol. As you can see, it opens up a drill down editor window. It says when a user on click function you can call it as. When a user clicks on it. What should be the action at presently by default it is of no action. We’ll click to link to another dashboard. We can also link it to search, we can also link it to dashboard and other reports.

And also if you want to redirect them to some custom URL, let’s say Splunk. com or Splunk. com or Google, you can redirect them. So these are some of the options. But for drill down purpose we need to drill down more into our splunk data. So we’ll be looking at link to another dashboard. That is our drill down dashboard. It lists all the dashboards that are available. For the logged in user I’ll choose drill down. The next option is the most important one. That is advanced field. You need to understand which fields are being passed. That is in my second dashboard I need to understand what is the token for the value that I am passing.

So this is the token that I’ll be passing. I’ll just copy that once I have copied, the syntax will be form. It is a form data. So it starts from form first value is equal to and here, this is the interesting part. So what value it should pass? So as soon as you click the value just under your mouse cursor it should be passed for this. This will be the option that is click dot value. Wherever you click on this panel, the value right under your mouse cursor will be passed into our next drill down dashboard. Choose click dot value and click on save.

Once it has been saved, you can quickly click on this dashboard. As you can see our URL as part of our advanced edit, this has been replaced here which contains our selected IP address. This is the previous dashboard without any drill down values. By default, this is the after drill down. We have passed the IP address automatically. It has said it has filtered its criteria based on events generated by this IP or 307 and it gives us only specific to the IP that we have passed as part of this. So if you click another IP, this drill down dashboard gives you specific results for those IP. As we have seen, we have successfully passed first dot value. That is the token from our previous dashboard by just clicking on those panels to our next drill down dashboard. This can be continuous. It can go up to ten dashboards until you narrow down your exact event that cost the alert or the criteria that you are looking for. This is just a simple example where one value from one dashboard can be passed into the other dashboard.

We’ll see how we can pass it to our second value of our drill down dashboard. In order to pass it to our second value, we need to know the token that the second value is using. Once we got the token, come back to our main demo dashboard where we will edit the second panel. So in order to enable drill down go to more actions edit Drill down on click choose dashboard. Choose the dashboard on which the destination should be there in our drill down. The destination is a dashboard name drill down itself. We know the parameter or the token value.

As you can see, as soon as you type the token value, it starts creating the URL string. So this is a form element with a token value of second value. The value we need to pass is click dot value. So whichever the icon we click on, it should pass the value obtained by that variable. Let us click on some of the different values. As you can see, the URL has already been passed with the drill down value. That is 188, 138, 40 dot 166. As you can see, our second value has been completely overwritten from our default value from the drill down feature.

8. Dashboard Drilldown to Same dashboard

Similarly, you can use this feature on any number of dashboards on any number of time. So this will give you a complete picture of Walkthrough, for example a use case in the lab where you can create something similar to how many errors Splunk application has generated in the last 24 hours. It will be a single value, something like this. And once you click on the single value, it should go back to giving me all the IP addresses of Splunk which is having errors and out of them. If I click one of the instance, it should go to another dashboard where I can see all this event. So as part of the lab exercise you can give it a try. If you face any issues, just leave a comment in the discussion sections where I’ll be able to assist you. So now we have seen how we can pass these values from one dashboard to another dashboard. Let us see an option where we can pass these values directly into the search query.

For that we’ll use our pie chart example click on more actions edit drill down, choose the dashboard you’d like to drill down. Now in this case we’ll choose link to search because we have already seen couple of example for the dashboards. We’ll see one for link for search and it says the search generates automatically using the values from the clicked element. That is, whatever the search the pie chart is using, it will automatically use the same search and it will give you the search results. But we’ll create a custom search. This is our pie chart that is being generated. So we’ll say instead of this my client IP should be click dot value or I can just mention click dot value which will just pass the values from the chart wherever I click on into the search. And it also passes the time.

Whatever the time that my panel is using in my dashboard. We have just added click dot value and some basic searching. We’ll see how it works once you have enabled drill down. We have enabled all these drill downs. One for first element of the dashboard, second one is for second element of the dashboard, third one is directly linking it to search. Let us test our search drill down. As you can see it redirects to search query. We have just passed IP address upon our selection. Using just a click my search query automatically updates and the time frame is used as per the dashboard time frame that we have selected.

If I click any number of IPS, it will automatically reload. These are some of the examples where you can pass it the values from one dashboard to another dashboard. If you want to pass the values on the same dashboard, you can just click on Edit Drill down. Instead of choosing the other dashboard, choose the same dashboard and make sure you change the token to the token that has been present as part of your same dashboard. As you can see, the token name is Source. I am changing it to Source. I’ll click Apply, I’ll click on save. If I click it now, it will open me the demo dashboard. This is the same dashboard. It drill downs into the same dashboard. As you can see, my Source IP is updated and it gives me information only related to specific source. These are some of the most widely used and as splunk admin you’ll be creating lot of drill downs and workflows which we’ll be discussing in our next lecture.