topic Re: help on a drilldown token in Splunk Enterprise

Help displaying another table panel which displays the results of the value clicked

jip31 — Tue, 08 Mar 2022 02:41:26 GMT

hello

As you can see, I stats events by _time in a first table panel

When I click on the result count I need to display an other table panel which displays the results of the value clicked

What is wrong in my example?

thanks

<panel> <table> <search> <query>index=toto sourcetype=tutu | stats count as count by _time</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="count">$click.value$</set> </drilldown> </table> </panel> <panel depends="$count$"> <table> <search> <query>index=toto sourcetype=tutu | search count=$count$ | table _time crash_process_name count</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>

Re: help on a drilldown token

ITWhisperer — Fri, 04 Mar 2022 16:54:47 GMT

Is count a field in the events returned by

index=toto sourcetype=tutu

Re: help on a drilldown token

jip31 — Fri, 04 Mar 2022 16:56:41 GMT

hi what do you mean exactly?

Re: help on a drilldown token

ITWhisperer — Fri, 04 Mar 2022 17:06:40 GMT

| search count=$count$

is looking for a field called count with the value from the $count$ token

If this field doesn't exist, you are unlikely to get any results!

Re: help on a drilldown token

jip31 — Fri, 04 Mar 2022 17:10:46 GMT

yes in my first table I have a value for count field

so when I click on it I dont understnd why there is nothing even if I use

| search count=$count$

Re: help on a drilldown token

ITWhisperer — Fri, 04 Mar 2022 17:13:32 GMT

What are you expecting the search in the second panel to find?

Re: help on a drilldown token

jip31 — Fri, 04 Mar 2022 17:17:51 GMT

when I click on the count onf my first table panel, I need to display all the events there is in this count

For example when _time is 09:00 I need to display the details of the 38 events there is in my count

Re: help on a drilldown token

jip31 — Fri, 04 Mar 2022 17:55:38 GMT

what is strange is that I am doing a similar thing with the field "name" it works!

<row> <panel> <table> <search> <query>index=toto sourcetype=tutu | stats count(crash_process_name) as crash by name</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="name">$click.value$</set> </drilldown> </table> </panel> <panel depends="$name$"> <table> <search> <query>index=toto sourcetype=tutu | search name="$name$" | stats last(crash_process_name) as crash count as count by name</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>

but if I am doing the same with the field _time, it doesnt works!

<row> <panel> <table> <search> <query>index=toto sourcetype=tutu | stats count(crash_process_name) as crash by _time</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="name">$click.value$</set> </drilldown> </table> </panel> <panel depends="$_time$"> <table> <search> <query>index=toto sourcetype=tutu | search _time="$_time$" | stats last(crash_process_name) as crash count as count by _time</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>

Re: help on a drilldown token

jip31 — Sat, 05 Mar 2022 06:11:39 GMT

Do you know if it is possible to use _time as a token?

If yes why my example doesnt works instead the example with "name" field works?

thanks

Re: help on a drilldown token

ITWhisperer — Sat, 05 Mar 2022 08:45:54 GMT

Tokens are just named temporary storage areas, they do not have to be related to the field they came from or being compared to.

<set token"tom">**bleep**</set> | where harry=$tom$

where tom is the name of the token, **bleep** is just a string value, and harry is a field in the events

So, yes, you could set a token to contain a value of _time, but you cannot set it to be the current value of _time in the event you are using it in.

I hope that makes sense, and does not confuse you further.