Explains how to configure fixed filters on dashboards, and dashboard drilldowns.
You can configure fixed filters and dashboard drilldowns on Custom dashboards that contain XQL widgets.
Fixed filters are based on parameters defined in the Custom XQL widgets within the dashboard. To configure fixed filters:
Create custom XQL widgets with parameters, as explained in Create and Edit Custom Widgets Based on XQL Queries.
Add the widgets to a Custom dashboard, as explained in Build a Custom Dashboard.
Configure the parameters as fixed filters on the dashboard, as explained in Configuring Filters & Inputs.
You can use these parameters to create in-dashboard drilldowns, and drilldowns that map parameters to target dashboards, however not all drilldowns require parameters. For more information, see Configuring Drilldowns.
After configuration, anyone who views your dashboard can change the fixed filters from the dashboard header and use the configured drilldowns.
Configuring Filters & Inputs
You can configure a maximum of five fixed filters on a dashboard. Filters can use predefined or dynamic values, and are based on parameters that you configure in Custom XQL widgets.
Open a Custom dashboard and select Edit dashboard.
Add Filters & Inputs.
On the FILTERS & INPUTS panel, +Add an input and select one of the following options:
Single Select to specify a single predefined value
Multi Select to specify multiple predefined or dynamic values
Free text/number to specify a single free text value
Update the Parameter Title.
Select the Parameter that you want to configure.
These values are extracted from the XQL queries of the widgets on the dashboard.
If you selected Single Select or Multi Select values, specify Dropdown Options.
When you generate the dashboard, these values appear in a dropdown list for selection.
For Single Select and Multi Select Predefined values, manually type the list values.
The values must support the parameter type. For example, for
$namespecify characters and for$numspecify numbers.If you uploaded numbers in a string, specify each number in quotes, for example "500".
For Multi Select Dynamic values, configure an XQL Query to fetch dynamic values.
In the XQL Query Builder, configure a query that includes the
fieldstage and the name of the column from which to take the dropdown values. All values in the specified field will be available for selection, and the values are dynamically updated.In this example, the name column is configured:
dataset = <dataset> | fields nameNote
If you specify more than one field, only the first field value is used.
(Optional) Specify a Default Value for the selected parameters.
This value overwrites any predefined default values in the XQL query.
Save Filters & Inputs. The fixed filter is added to the dashboard header.
Configuring Drilldowns
Learn how to create dashboard drilldowns based on individual XQL widgets.
The following procedure explains how to create dashboard drilldowns based on individual XQL widgets.
Open a Custom dashboard and select Edit dashboard.
Chose the widget to which you want to apply a drilldown, click on the widget menu, and select Add drilldown.
In Action On Click select one of the following options:
In-Dashboard Drilldown— This option interactively filters the dashboard data based on parameters defined in the Custom XQL widgets within the dashboard.
Parameters— Select the parameter by which to filter. You can choose parameters that are defined in the XQL queries of the widgets on the dashboard.
Value— Type your own value, or, select a variable from which to capture the clicked value and assign to a parameter. For more information, see Variables in drilldowns.
Link to dashboard— This option opens a target dashboard.
Dashboard— Select the target dashboard.
Parameter (optional)— Select parameters by which to filter the data on the target dashboard. Parameters are available if there are parameters defined in the widgets on the target dashboards.
Value— Type your own value, or, select a variable from which to capture the clicked value in the source dashboard and map as a parameter in the target dashboard. For more information, see Variables in drilldowns.
Open XQL Search— This option runs an XQL query for additional investigation based on the clicked value.
XQL Query— Define the query that you want to run on drilldown. Type$to see autocomplete options for variables that are available in the widget drilldown. For more information, see Variables in drilldowns.In the following example two parameters are passed from a table widget to an XQL query. The first parameter with the cell value that the user clicked on, and a second parameter with the cell value in the request_url column in the row that the user clicked.
dataset=xdr_data |filter event_type=$y_axis.value and requestUri=$row.request_url |fields action_download, action_remote_ip as remote_ip, actor_process_image_name as process_name |comp count_distinct(action_download) as total_download by process_name, remote_ip, remote_hostname |sort desc total_download |limit 10 |view graph type=single subtype=standard xaxis=remote_ip yaxis=total_download
Open custom URL— This option opens an external URL based on a clicked value.
URL Address— Type the URL. To create a dynamic drilldown, you can include Available parameters. For more information about the parameters, see Variables in drilldowns.
In the following URL, the
$x_axis.valueparameter represents cortex products names. On drilldown, the $x_axis.value is replaced with the clicked product name in the pie chart.https://www.paloaltonetworks.com/cortex/cortex-$x_axis.value
Generate Report— This option runs a report from a clicked value.
Variables in drilldowns
The following list describes the widget variables that are available in drilldowns, according to widget type.
The variable defines the value to capture in the drilldown, according to the element that is clicked. The captured value is then configured as a parameter by which to filter data on drilldown.
Chart (Area, Bubble, Column, Funnel, Line, Map, Pie, Scatter, or Word Cloud)
Single value or gauge
Table
$first.name— selects the leftmost column name in the table.$first.value— selects the leftmost value in the clicked table row.$clicked.name— selects the column name of the clicked value.$clicked.value— selects the value in the clicked table cell.$row.<field_name>— selects the field (column) from the clicked table row.
