Skip to main content
Sumo Logic

Add a Dashboard Link

With the concat and the tourl operator, you can link values in a table panel in a Dashboard to any Dashboard where you have View permissions. You can also pass dynamic values to these dashboards and searches based on the table entry.

These in-query links provide convenient drill down when you need to solve a problem. For example, if you track  user activity on your website in a dashboard, you can have a panel that gives summary statistics of each of the users such as their number of logins and also provide a links to details that open searches or other dashboards where you can find out about specific search statistics and dashboard usage.

image4.pngAll you or another dashboard user needs to do is select the link and drill down:


Linking a Dashboard to another Dashboard

  1. Select the Share Screen Shot 2019-08-06 at 3.21.20 PM.png icon on the Dashboard you want to link to a dashboard and select Shareable URL.
  2. Enable Share with filter values applied to pick up the filter criteria in the link.
  3. Select Copy to for the Dashboard link. 
  4. Open the search for the Dashboard you want to include the link. 

  5. Add a line to your query using the concat and the toURL operators. Replace**user*eq*null  with your full dashboard link. Be sure that the link includes the the URL with filter values enabled that you copied. The URL contains the filter name and values in the format filter=filtername*eq*value.

  6. Use the concat operator to dynamically apply the filter value. In the example below, I have a field name orgID   to pass values to the filter org_id  
    tourl(concat("**user*eq*null**org_id*eq*", orgId), "Account Dashboard") as org 

Linking a Dashboard to a Search

Probably more common than linking a Dashboard to a Dashboard, is linking  a Dashboard to a search. You can use the linked Dashboard as a list of possible searches to help you investigate further by providing the dynamic values as links.

  1. Build your search and include the dynamic value for your link, using both the concat and urlencode operators.
    For example, to build a query that gives login activity for a user:

    urlencode(concat(“_sourceCategory=login_events and ” , user)) as search_query

  2. Create a URL and pass the search query you created as the parameter in the URL string. 
    | format ("https://{YourURL}/ui/#/search/@%d,%d@%s",querystarttime(),queryendtime(),search_query) as search_query_link

  3. Create a hyperlink with the appropriate description using the toURL operator.  For example:

    | tourl(search_query_link , "Click Here") as search_query_link
  4. Add the search to the dashboard. The field search_query_link automatically converts to hyperlink in the dashboard. In our example dashboard Click Here displays.

    Screen Shot 2019-08-15 at 8.27.00 PM.png

Amazon GuardDuty Dashboard Use Case

Threat data provided by the GuardDuty provides a lot of data into threats you are facing. With a linked dashboard, we can drill down into one particular threat to understand it better. 

For example we can modify the  default Amazon GuardDuty - Threat Details Benchmark dashboard of the GuardDuty app, making the threatName column a link to threatDetails.


Clicking on the threatDetails link gives us the raw guard duty event associated with that particular threatType and threatPurpose. This allows users to get more details about the particular threat, like  which resource was affected by the threat:

  • Name
  • ID
  • IP address
  • Security permissions applied to the resource.

All this information can help your users investigate security incidents quickly and effectively.  To create this link, add the following snippet to your to the existing GuardDuty panel query.  Include the section at the end of your query:

| urlencode(concat("_sourceCategory={SumoGuardDutysourceCategoryName} 
| json field=_raw \"id\", \"type\",\"severity\" ,\"title\",\"description\", \"accountId\", \"resource.resourceType\", \"region\" | toint(severity) as sev | parse field=type \"*:*/*\" as threatPurpose, targetResource, threatName | where threatName = \"", threatName ,"\" and threatPurpose=\"",threatPurpose ,"\"")) as query
|format("https://{yourSumoDashboardURL}/ui/index.html#section/search/@%d,%d@%s",queryStarttime(),queryendtime(),query) as url
| tourl(url, threatName) as threatName
| fields -query,url