topic Re: Drilldown on results of a subsearch not working in Splunk Search

Drilldown on results of a subsearch not working

doogan12 — Tue, 04 Jul 2017 23:14:49 GMT

Woodcock - As a new question to the previous one that you help resolve - do you have any idea why the drilldown isn't working? When I click on the results that the search produced, it shows and runs the search string of the original search instead of the results of the search - just like clicking the magnifying glass icon does. In the source code, drilldown is set to cell. Any thoughts?

Re: Drilldown on results of a subsearch not working

cmerriman — Wed, 05 Jul 2017 00:13:12 GMT

Could you link to previous question or post more details surrounding xml source code to dashboard regarding the drilldown panel? My guess without knowing everything is that the token isn't properly set to the right value. A way to debug tokens is to add script="tokens.js" to the form node

Re: Drilldown on results of a subsearch not working

doogan12 — Wed, 05 Jul 2017 00:26:32 GMT

Cmerriman - the search is thus: index=InnerIndexHere sourcetype=InnerSourcetypeHere "ip.of.offending.addr" | stats count BY ICID | table ICID | format

This returns a subsearch of the results found in the ICID field. I would like to the results to be capable of drilldown by clicking the contents of the cell to display the results of each ICID number (ie; was there DNS info for the IP, was it blacklisted, did it create a mid, did it close).

Here is the source:

true
false
none
full
1
5
full
all
1
list
cell
10</option

and the link to the previous question:

https://answers.splunk.com/answers/552608/how-can-i-take-the-results-from-a-search-and-gener.html

Thanks for taking a timeout to assist on a Holiday!

Re: Drilldown on results of a subsearch not working

doogan12 — Wed, 05 Jul 2017 00:28:48 GMT

Hmmmm - that source code didn't post correctly

true
false
none
full
1
5
full
all
1
list
cell
10

Re: Drilldown on results of a subsearch not working

doogan12 — Wed, 05 Jul 2017 00:31:41 GMT

The code falls under the option name= and are as follows - wrap, rowNumbers, dataOverlayMode, list.drolldown,list.wrap, maxLines, raw.drilldown, table.drilldown, table.wrap, type, drilldown, and count with the answer to those options listed above.

Re: Drilldown on results of a subsearch not working

cmerriman — Wed, 05 Jul 2017 00:45:17 GMT

To drilldown to another search, instead of more or less opening the current search, you need to use the drilldown node. http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/ContextualDrilldown
You'll need to add something like this:
<set token="new">$click.value$</set> </drilldown>
And then you need to create another panel with you new search with the new token in it to use as a filter. You can add depends="$new$" into the panel node to hide the panel until the token is set, if desired.

Re: Drilldown on results of a subsearch not working

doogan12 — Wed, 05 Jul 2017 21:41:28 GMT

Not sure what happened, but when I clicked the value returned from the original search, a new panel popped up with unexpected data in it. When I clicked the magnifying glass to 'open in search' and see what the search looked like, the search string only had the word'NULL' in it and was looking for all occurrences of NULL in the past four hours. Any thoughts on what may have occurred with the new query?

Re: Drilldown on results of a subsearch not working

cmerriman — Wed, 05 Jul 2017 21:51:05 GMT

Can you provide a sample of the xml so I can see where you placed the drilldown node and how you used the token in the new panel?

Re: Drilldown on results of a subsearch not working

doogan12 — Wed, 05 Jul 2017 21:57:14 GMT

Sure, I hope it translates properly

  <title>ICID</title>
  <table>
    <title>ICID</title>
    <search>
      <query>index=primary sourcetype=email_server "$ip$" | stats count BY icid | table icid | format</query>
    </search>
    <drilldown>
      <set token="show_panel">true</set>
      <set token="retrieve">$click.value$</set>
    </drilldown>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
<panel depends="$retrieve$">
  <event>
    <title>Result of ICID search retrieval</title>
    <search>
      <query>index=primary sourcetype=email_server $retrieve$</query>
      <earliest>-4h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="count">5</option>
  </event>
</panel>

Re: Drilldown on results of a subsearch not working

cmerriman — Thu, 06 Jul 2017 01:06:02 GMT

The table you have with the ICID is using format, which would come out with one row, one column with values similar to "ICID=x OR ICID=y...". Are you trying to select just one value of ICID? You'd need to remove the format command and create an actual table.

Re: Drilldown on results of a subsearch not working

doogan12 — Thu, 06 Jul 2017 01:21:39 GMT

Actually, no. I want to just click the 'OR'd results. The format command looks like it is working the way I would need it to, especially when there are multiple ICID's from a particular event. Let's say there are 10 ICID's that were found with the initial search. Having them strung together with an OR should show the search thus: icid=123456 OR icid=234567 OR icid-345678, etc. If I go to an actual table, I'd only be able to click one at a time, and if there are 100's or thousands of icid's...you get the picture.

But what I have in that query with the token $retrieve$ is returning a search with the word NULL in it.

Re: Drilldown on results of a subsearch not working

cmerriman — Thu, 06 Jul 2017 11:41:57 GMT

do you really need to have this icid=123456 OR icid=134567... in a table a clicking it or can you just show the table that would have these search results in it?

 <panel>
   <event>
     <title>Result of ICID search retrieval</title>
     <search>
       <query>index=primary sourcetype=email_server [search index=primary sourcetype=email_server "$ip$" | stats count BY icid | table icid | format] </query>
       <earliest>-4h@h</earliest>
       <latest>now</latest>
     </search>
     <option name="count">5</option>
   </event>
 </panel>

Re: Drilldown on results of a subsearch not working

doogan12 — Thu, 06 Jul 2017 15:03:42 GMT

If they were just laid out neatly in a table, would they be interactive or would they return a NULL?

Re: Drilldown on results of a subsearch not working

cmerriman — Thu, 06 Jul 2017 15:11:50 GMT

i figured it out. change $click.value$ to $click.value2$ when you're setting the retrieve token. that should fix the problem.
here are event token definitions:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Viz/EventHandlerReference#Drilldown_event_tokens

Re: Drilldown on results of a subsearch not working

doogan12 — Thu, 06 Jul 2017 15:52:37 GMT

Sounds great! I'll give that a try. Thank you, cmerriman!

Re: Drilldown on results of a subsearch not working

doogan12 — Sun, 09 Jul 2017 21:21:52 GMT

Yes, it is working like I envisioned it would. Thanks for your advice.

Re: Drilldown on results of a subsearch not working

woodcock — Mon, 10 Dec 2018 02:22:59 GMT

@doogan12, I did not see this until just now because you need prefix ids with the @ character (as in @woodcock). This will notify the user directly (like the notification that you should have just gotten).