topic Re: How to create a drill down from one panel to another in the same dashboard? in Dashboards & Visualizations

How to create a drill down from one panel to another in the same dashboard?

abhi04 — Thu, 31 May 2018 08:41:20 GMT

I have a dashboard which have panel 1 which displays job start time, end time and time duration of the job run. Now I want to create another panel i.e. panel 2 in the same dashboard where clicking on the job in panel 1 will display that job start time, end time and time duration of the job run for last 7 days. Please help on the same.

Re: How to create a drill down from one panel to another in the same dashboard?

niketn — Thu, 31 May 2018 10:49:30 GMT

@abhi04 , if you are on Splunk 6.6 or higher you can use Interactive Drilldown Option from Splunk UI by editing the chart and set the token for selected Job Name using predefined token $row.<yourJobNameField>$ . This token will pick the job name from the Row that you click on (irrespective of the column). Following is the Splunk Docs reference for default Table Drilldown tokens. For previous versions the same can be done only through Simple XML.

You can get Splunk Dashboard Examples app to get several examples of Drilldown capabilities within Splunk, including your use case.

Following is a run anywhere dashboard based on Splunk's _internal index to try out the drilldown from One Panel to Another where component name from Panel 1 is passed on to Panel 2 on Drilldown and displays the trending of INFO ERROR and WARN events over last 7 days in a timechart.

In the example following pieces have been added for enabling drilldown for selected component.

        <option name="drilldown">cell</option>

        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>

Then the search query in Panel 2 uses token $tokComponent$

          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
  | timechart count by log_level</query>

PS: depends attribute has been added to second row with Drilldown panel which hides the Panel until $tokComponent$ is set.

  <row depends="$tokComponent$">

Please try out and confirm!

<form>
  <label>Drilldown from one dashboard to another</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Panel 1 - Pick Component to see trending</title>
      <input type="time" token="tokTime1" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| dedup log_level component
| stats count as eventcount min(_time) as earliestTime max(_time) as latestTime dc(log_level) as distinctCount values(log_level) as log_level by component
| search log_level="INFO" AND distinctCount>1
| eval duration=latestTime-earliestTime
| fieldformat earliestTime=strftime(earliestTime,"%Y-%m-%d %H:%M:%S %p")
| fieldformat latestTime=strftime(latestTime,"%Y-%m-%d %H:%M:%S %p")</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$tokComponent$">
    <panel>
      <title>Panel 2 - $tokComponent$ Component Info and Warn Trending</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
| timechart count by log_level</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.mode">seriesCompare</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

PS: This example uses charting.legend.mode as seriesCompare. This Chart Configuration option for legends which is available in version 6.6 or higher.

Re: How to create a drill down from one panel to another in the same dashboard?

abhi04 — Thu, 31 May 2018 11:25:59 GMT

Hi Niketnilay,

The jobname is being extracted using regex.below is the source for the dashboard which is not working.

DFS IW Batch Job Monitor Dashboard
DFS IW Batch Job Monitor

<input type="time" token="field1">
  <label></label>
  <default>
    <earliest>-24h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <title>IW Batch Job Duration</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" "started - time=" | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | eval StartTime=strftime(_time,"%Y/%m/%d %H:%M:%S") | append [| search index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" ("ended - time=" OR "ENDED - time") | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | eval EndTime=strftime(_time,"%Y/%m/%d %H:%M:%S")] | transaction Job_Name  |dedup Job_Name | table Job_Name StartTime EndTime duration  |eval Duration_Min= round((duration/60),2) | rename duration AS Duration_Sec</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown>
       <set token="tokComponent">$row.Job_Name$</set>
     </drilldown>
  </table>
</panel>


<panel>
  <event>
    <title>Errors</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh"  "error" OR "abort"</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
  </event>
</panel>


<panel>
  <table>
    <title>Last 7 Days</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" "started - time=" | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" |Job_Name="$tokComponent$"| eval StartTime=strftime(_time,"%Y/%m/%d %H:%M:%S") | append [| search index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" ("ended - time=" OR "ENDED - time") | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | Job_Name="$tokComponent$"|eval EndTime=strftime(_time,"%Y/%m/%d %H:%M:%S")] | transaction Job_Name  |dedup Job_Name | table Job_Name StartTime EndTime duration  |eval Duration_Min= round((duration/60),2) | rename duration AS Duration_Sec</query> <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
  </table>
</panel>

Re: How to create a drill down from one panel to another in the same dashboard?

niketn — Thu, 31 May 2018 12:39:21 GMT

You should try out the two things after the rex command, you are missing search keyword for searching Job_Names extracted using rex.

 ...
| rex .....
|search Job_Name="$tokComponent$"
 ....

Also in the Title for the final panel with table add the token to verify correct Job Name has been picked from Drilldown (I would also prefer if you named tokComponent as tokJobName instead as it will be more logical.

<title>Details for Job $tokComponent$ for Last 7 Days</title>

Please try out and confirm!

Re: How to create a drill down from one panel to another in the same dashboard?

abhi04 — Thu, 31 May 2018 13:07:43 GMT

Thanks Niketnilay,

The panel shows up with info but the title wont show when using

Re: How to create a drill down from one panel to another in the same dashboard?

niketn — Thu, 31 May 2018 14:18:44 GMT

Strangely it should work. Have you changed the token name and are using correct one? Which version of Splunk are you on? Can you share simple XML code and what is not working.

Re: How to create a drill down from one panel to another in the same dashboard?

abhi04 — Thu, 31 May 2018 15:08:32 GMT

Hi niketnilay,

It's working now.
Thanks.

Re: How to create a drill down from one panel to another in the same dashboard?

niketn — Thu, 31 May 2018 15:54:52 GMT

@abhi04 glad it worked! Do up vote the comments that helped 🙂