topic Re: Search different results with token in Dashboards & Visualizations

Search different results with token

marco_massari11 — Tue, 17 Nov 2020 16:42:55 GMT

Hi,

I have a query like this:

index=.... hostname=*
| eval field1=if(x="y",1,0)
| eval field2=if(x="z",1,0)
| stats sum(field1) as "field1" sum(field2) as "field2" by hostname

The result is a column chart in which I have 2 columns for each hostname that represent the count of filed1 and field2. If I click on a bar (for example filed1 for an hostname), I want to open another custom dashboard that shows other details like ip,.... But in this second dashboard I don't have only the results for field1, but also filed2. I know I need a token to filter the result, but I don't know how. Can anyone help me?

Thanks in advance

Re: Search different results with token

ITWhisperer — Tue, 17 Nov 2020 19:04:14 GMT

Instead of field1 and field2, can you name your fields y and z, that way you may be able to use the field name of the bar that is clicked to modify the search in the drilldown panel. Alternatively, will counting by x and hostname help?

Re: Search different results with token

marco_massari11 — Tue, 17 Nov 2020 19:31:30 GMT

I do not understand your first option, can you explain it better? The second option can work but I don't want to show the hostname two times in the column chart.

Re: Search different results with token

ITWhisperer — Tue, 17 Nov 2020 21:27:43 GMT

Run anywhere example:

<row> <panel> <chart> <search> <query>index=_internal sourcetype=splunkd | eval field1=if(group="tcpin_connections",1,0) | eval field2=if(group="tcpout_connections",1,0) | stats sum(field1) as tcpin_connections sum(field2) as tcpout_connections by log_level</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <option name="charting.axisY.abbreviation">auto</option> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">top</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="showcounts">true</set> <set token="showloglevel">$click.value$</set> <set token="showgroup">$click.name2$</set> </drilldown> </chart> </panel> <panel depends="$showcounts$"> <chart> <search> <query>index=_internal sourcetype=splunkd log_level=$showloglevel$ group=$showgroup$ | stats count by component</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <option name="charting.axisY.abbreviation">auto</option> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">top</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row>

For your case, you could change the first query to

<query>index=.... hostname=* | eval field1=if(x="y",1,0) | eval field2=if(x="z",1,0) | stats sum(field1) as y sum(field2) as z by hostname</query>

with perhaps tokens showhost and showx

and the second query to

<query>index=.... hostname=$showhost$ x=$showx$ ...</query>

Re: Search different results with token

marco_massari11 — Wed, 18 Nov 2020 11:19:45 GMT

Hi,

I think it's not working beacause I still have more result in the second query

Re: Search different results with token

t_shreya — Wed, 18 Nov 2020 11:33:47 GMT

@marco_massari11 , I'm not sure if I got the question completely correct.
But in case, you require only the results of the bar you clicked on, then you can retrieve the name of the field using :

<set token="clicked_field">$click.name2$</set>

and use the token $clicked_field$ to filter results in the query of the other dashboard.

Re: Search different results with token

marco_massari11 — Wed, 18 Nov 2020 11:54:57 GMT

@t_shreya Yes, I set by drilldown tab on the first dashboard a token named "method"=$click.name2$, and the query of the first dashboard is like this:

index=.. hostname=$site$ (service=success or service=failure)
| eval site=substr(NetworkDeviceName,1,7) + substr(NetworkDeviceName, -4)
| eval field1=if(service="x",1,0)
| eval field2=if(service="y",1,0)
| stats sum(field1) as "option1" sum(field2) as "option2" by site

The result is a column chart in which I have 2 columns (count of field 1 and count for field2) for a single site

In the second dashboard I have a query like this:

index=..... hostname=....
| eval site=substr(DeviceName,1,7) + substr(DeviceName, -4)
| search site=$group$
| search service="$method$"
| table .......

Probably my mistake is in the stats beacuse in the title I put the token for the count ant it's correct

Re: Search different results with token

ITWhisperer — Wed, 18 Nov 2020 18:48:57 GMT

I don't know what you mean by that. Can you show your SimpleXML for your dashboard panels?