Token Management
The drilldown function can update token values and trigger dynamic actions on the current dashboard. Instead of navigating to another search or dashboard, drilldown can manage token values when a user clicks on a panel element.
Depending on the configuration of the dashboard, changing the token values can cause different dynamic changes to its behavior.
How it works
Managing token values is a key element of creating interactive dashboard behavior using the drilldown feature. Before configuring token value updates, you need to plan the desired behavior of the dashboard. For example, it is possible to show or hide content on user click. It is also possible to set a token value that is part of a search query to form a more detailed visualization on the dashboard.
In the drilldown, you can set or change token values on user click. However, changing token values alone does not result in dynamic panel behavior. To provide interactivity, you must configure the panel elements to respond to these token updates.
Configuration Steps
Configuration on token management is done according to the following instructions:
- On the dashboard where you want to customize the drilldown, click
Edit - Select the panel where you want to customize the drilldown and click on the customization icon
- Select the
Token Controllink type
- Configure the required list of tokens to be used
- Click
Apply Settingsto apply the drilldown - Click
Saveto commit the changes to the dashboard
Examples
This dashboard presents a table with the number of events by action type. When a user clicks on a row of the table, an additional visualization appears.
In the drilldown editor there is a possibility to configure token management for each panel. To do this, you need to configure key-value pairs.
In order for the control panel to be displayed only when a specific user action occurs, the depends attribute must be used.
{
"label": "Last 5 events with action: $eventAction$",
...
"depends": ["$eventAction$"]
}
The picture below shows the dashboard after the user clicked on the logged-in action type in the table.
Source Code
{
"label": "Winlog: Statistics on actions",
"inputs": [],
"rows": [{
"panels": [{
"inputs": [],
"height": "not_set",
"label": "Statistics on user events",
"type": "sm",
"viz": {
"options": {
"colorRuleList": [{
"field": "Quantity",
"colorScheme": "scale",
"pallete": "white_to_green",
"show": true,
"isBackground": true
}, {
"field": "Исход",
"colorScheme": "field",
"pallete": [{
"value": "success",
"color": "#65A637"
}, {
"value": "failure",
"color": "#DC4E41"
}
],
"show": true,
"isBackground": true
}
],
"tableAutoWidth": true,
"pagination": {
"enabled": true,
"rowsPerPageList": [{
"label": "5"
}, {
"label": "10"
}, {
"label": "25"
}, {
"label": "50"
}
]
},
"sme": {
"query": "source winlog_auth\r\n| aggs count by event.action.keyword\r\n| sort 0 -count\r\n| rename event.action.keyword as \"Actions\", count as \"Quantity\""
},
"summary": {
"enabled": false
},
"drilldown": {
"enableDrilldown": true,
"drilldownType": "tokenControl",
"drilldownText": "/app/sm-dashboards/winlog_auth_events_journal#?_q=(eventAction:'$row.Actions$')",
"drilldownQuery": "",
"drilldownCustomTimeTokenEarliest": "now-24h",
"drilldownCustomTimeTokenLatest": "now",
"drilldownSelectTimeToken": "",
"drilldownTokens": [{
"name": "$eventAction$",
"value": "$row.Actions$"
}, {
"name": "$count$",
"value": "$row.Quantity$"
}
]
},
"timeToken": "",
"dataTypes": {
"Количество": {
"dateFormat": ""
},
"Исход": {
"dateFormat": ""
}
}
},
"timeToken": {
"start": "now-24h",
"end": "now"
},
"type": "table"
},
"subpanels": []
}
]
}, {
"panels": [{
"inputs": [{
"name": "eventAction",
"label": "Actions",
"type": "selection",
"inputs": [
{
"label": Actions",
"name": "eventAction",
"token": {
"prefix": "",
"suffix": ""
},
"options": {
"static": [],
"default": "",
"filter": {
"label": "",
"value": ""
},
"search": ""
},
"timeInput": ""
}
],
"token": {
"prefix": "",
"suffix": ""
},
"options": {
"static": [],
"default": "",
"filter": {
"label": "",
"value": ""
},
"search": ""
},
"timeInput": "",
"oldName": "eventAction"
}
],
"height": "not_set",
"label": "The last 5 events with an action $eventAction$",
"type": "sm",
"viz": {
"options": {
"colorRuleList": [],
"tableAutoWidth": true,
"pagination": {
"enabled": true,
"rowsPerPageList": []
},
"sme": {
"query": "source winlog_auth\r\n| search event.action.keyword=\"$eventAction$\"\r\n| table @timestamp, host.name,user.name, event.code, event.action, event.outcome\r\n| head 5\r\n| rename @timestamp as \"Time\", host.name as \"Host\", user.name as \"User\", event.code as \"Event Code\", event.action as \"Action\", event.outcome as \"Issue\""
},
"summary": {
"enabled": false
},
"drilldown": {
"enableDrilldown": false,
"drilldownType": "search",
"drilldownText": "",
"drilldownQuery": "",
"drilldownCustomTimeTokenEarliest": "now-24h",
"drilldownCustomTimeTokenLatest": "now",
"drilldownSelectTimeToken": ""
},
"timeToken": ""
},
"timeToken": {
"start": "now-24h",
"end": "now"
},
"type": "table"
},
"depends": [
"$eventAction$"
],
"subpanels": []
}
]
}
],
"vars": []
}