Skip to main content
Sumo Logic

Add a Dashboard Link

You can use the tourl operator to link values in a dashboard to any other dashboard where you have View permissions. You can also pass dynamic values to these dashboards and searches based on a table entry.

These in-query links provide convenient drill down capabilities for problem solving. For example, if you track  user activity on your website in a dashboard, you can have a panel that provides summary statistics for each user, such as number of logins, as well as links to details that open searches or other dashboards with specific search and dashboard usage statistics.

The following dashboard is an example in-query links, shown in parallel columns.

image4.pngThe following animation, illustrates how you can drill down into the data by selecting an in-query link.

Drilldown.gif

Linking a Dashboard to another Dashboard

Now that you've seen the advantage of in-query links, this section shows to use them to link one dashboard to another.

To create a link from one dashboard to another, do the following:

  1. Open the dashboard you want to link to another dashboard and select the Share Screen Shot 2019-08-06 at 3.21.20 PM.png icon.
  2. Select Shareable URL and enable Share with filter values applied to include filter criteria in the link.
  3. Select Copy. The button text changes to Copied when the link has been copied to the clipboard.

    Dashboard_Share_URL.png
  4. Now, go to the dashboard where you want the link to appear and open Search for the desired panel.  The following is the example Search query we'll use for this task. We'll use the tourl operator to add the link to the panel.

_sourceCategory=mycategory keyword
| parse "Found feedback *" as jsonobj
| json field=jsonobj "score", "comment" , "contact", "posted_date" , "tags", "score_type"f
| json field=contact "first_name" , "last_name" , "email" , "attributes.Org ID" , "attributes.Deployment" as  first_name, last_name , email , orgId , deployment
//| json field=tags "positive", "neutral", "negative" as positive_tags , neutral_tags ,negative_tags
//| concat(first_name," " ,  last_name) as name
| where score < 6
| count as count_score_less_than_6  , avg(score) as avg_score by orgId 
//| lookup org_name from /shared/lookups/master_orgs on orgId = org_id
  1. Add a line to the end of your query using the tourl operator and concat, pasting your full dashboard link. The URL contains filter names and values in the following format: filters=filtername*eq*value.  For more information, see the tourl and concat pages.

| tourl(concat("https://<Dashboard_URL><filters=filtername*eq*value*>)
  1. Apply a filter value and customize the link. In our example, we add the orgID field name to pass values to the filter org_id, and specify Account Dashboard as the link name using this syntax:  *org_id*eq*", orgId), "Account Dashboard") as org

    Here's the results for our example query.

_sourceCategory=mycategory keyword
| parse "Found feedback *" as jsonobj
| json field=jsonobj "score", "comment" , "contact", "posted_date" , "tags", "score_type"f
| json field=contact "first_name" , "last_name" , "email" , "attributes.Org ID" , "attributes.Deployment" as  first_name, last_name , email , orgId , deployment
//| json field=tags "positive", "neutral", "negative" as positive_tags , neutral_tags ,negative_tags
//| concat(first_name," " ,  last_name) as name
| where score < 6
| count as count_score_less_than_6  , avg(score) as avg_score by orgId 
//| lookup org_name from /shared/lookups/master_orgs on orgId = org_id

| tourl(concat("https://dashboardurl&f=&t=r&filters=org_id*eq*", orgId), "Account Dashboard") as org

| sort by count_score_less_than_6 desc
| fields orgid, count_score_less_than_6, avg_score, org

Linking a Dashboard to a Search

Probably more common than linking a Dashboard to a Dashboard, is linking  a Dashboard to a search. You can use the linked Dashboard as a list of possible searches to help you investigate further by providing the dynamic values as links.

  1. Build your search and include the dynamic value for your link, using both the concat and urlencode operators.
    For example, to build a query that gives login activity for a user:

    urlencode(concat(“_sourceCategory=login_events and ” , user)) as search_query

  2. Create a URL and pass the search query you created as the parameter in the URL string. 
     
    | format ("https://{YourURL}/ui/#/search/@%d,%d@%s",querystarttime(),queryendtime(),search_query) as search_query_link
     

  3. Create a hyperlink with the appropriate description using the toURL operator.  For example:

    | tourl(search_query_link , "Click Here") as search_query_link
     
  4. Add the search to the dashboard. The field search_query_link automatically converts to hyperlink in the dashboard. In our example dashboard Click Here displays.

    Screen Shot 2019-08-15 at 8.27.00 PM.png

Amazon GuardDuty Dashboard Use Case

Threat data provided by the GuardDuty provides a lot of data into threats you are facing. With a linked dashboard, we can drill down into one particular threat to understand it better. 

For example we can modify the  default Amazon GuardDuty - Threat Details Benchmark dashboard of the GuardDuty app, making the threatName column a link to threatDetails.

image1.png

Clicking on the threatDetails link gives us the raw guard duty event associated with that particular threatType and threatPurpose. This allows users to get more details about the particular threat, like  which resource was affected by the threat:

  • Name
  • ID
  • IP address
  • Security permissions applied to the resource.

All this information can help your users investigate security incidents quickly and effectively.  To create this link, add the following snippet to your to the existing GuardDuty panel query.  Include the section at the end of your query:

| urlencode(concat("_sourceCategory={SumoGuardDutysourceCategoryName} 
| json field=_raw \"id\", \"type\",\"severity\" ,\"title\",\"description\", \"accountId\", \"resource.resourceType\", \"region\" | toint(severity) as sev | parse field=type \"*:*/*\" as threatPurpose, targetResource, threatName | where threatName = \"", threatName ,"\" and threatPurpose=\"",threatPurpose ,"\"")) as query
|format("https://{yourSumoDashboardURL}/ui/index.html#section/search/@%d,%d@%s",queryStarttime(),queryendtime(),query) as url
| tourl(url, threatName) as threatName
| fields -query,url