topic Re: create a drill-down multiple condition in Splunk Search

create a drill-down multiple condition

vshakur — Sat, 07 Apr 2018 11:05:21 GMT

Hello,

Is it possible to set a drill-down condition only for the cells of a specific column but to exclude one cell.

For example:
row a | row b | row c |
--------|---------|---------|
a1 | b1 | c1
a2 | b2 | c2
a3 | b3 | c3

I'd like to be able to press only the values under "row a" but to also exclude the last value "a3".

Please help me achieve this goal

Thanks,
Sam

Re: create a drill-down multiple condition

rjthibod — Sat, 07 Apr 2018 11:25:41 GMT

The answer I can think of is it depends. In my mind, you would need to have a column that can label the horizontal row you want to exclude, e.g., exclude anything that belongs to the last row that has a label "Totals". Do you have any way of labeling the values you want to exclude? Or is it always the last value in the column?

Re: create a drill-down multiple condition

vshakur — Sat, 07 Apr 2018 16:06:42 GMT

It's both. It's both the last row and It's always labeled "Total"

Re: create a drill-down multiple condition

niketn — Sat, 07 Apr 2018 16:35:17 GMT

@vshakur if you are on Splunk 6.5 or higher easiest option for you to be use add a Total Table Summary row which can not be used for Drilldown: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsFormatting#Totals_summary_row

This way your drilldown code would be enabled only for "row a" and Total row will not have drilldown enabled.

Otherwise you will have to use $row.yourfieldname$ to check for value Total and not perform any drilldown action.

Re: create a drill-down multiple condition

niketn — Sat, 07 Apr 2018 17:09:44 GMT

@vshakur, I have converted my comment to answer. If it worked for you, please accept the same to mark this question as answered. If you need further details, do let us know. 🙂 Happy Weekend!

Re: create a drill-down multiple condition

vshakur — Sat, 07 Apr 2018 17:18:33 GMT

Thanks but I'm still stuck.
Using Total Table Summary is not an option since some of the columns represent percentages and I don't want them to be summed up.

I have the following code:

<drilldown>
  <condition field="Environment">
    <eval token="form.environment_token">$click.value$</eval>
  </condition>
</drilldown>

But I'm having trouble to add another condition to the existing one. Besides the field="Environment" condition I need to verify that the user won't be able to press the last cell in the column labeled Total

Re: create a drill-down multiple condition

rjthibod — Sat, 07 Apr 2018 22:09:28 GMT

what is the name of the column that contains the label "Total"?

Re: create a drill-down multiple condition

niketn — Sun, 08 Apr 2018 05:55:24 GMT

Following is run anywhere example with Table Summary Row added. You can hide Total of percent column using CSS. Try the following run anywhere dashboard:

<dashboard>
  <label>Table Summary Row CSS</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSPanel$">
        <style>
          #tableWithSummary tbody tr:last-child td:last-child{
            visibility:hidden !important;
          }
          #tableWithSummary tbody tr:last-child td{
            background: #fff !important;
            font-weight: bold !important;
          }
        </style>
      </html>
      <table id="tableWithSummary">
        <search>
          <query>index=_internal sourcetype=splunkd
| top 5 component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">true</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Following is a run anywhere example with addtotals and eval to set token on Drilldown from the field count. In case the component value is Total (i.e. for the final row) then token is unset by not defining the default condition of the case statement.

    <panel>
      <table id="tableWithSummary2">
        <title>$tokClickedValue$</title>
        <search>
          <query>index=_internal sourcetype=splunkd
| top 5 component
| addtotals col=t row=f labelfield=component label=Total
| eval percent=case(component!="Total",percent)
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="count">
            <eval token="tokClickedValue">case($row.component$!="Total",$row.count$)</eval>
          </condition>
          <condition>
                <!-- Do not drilldown for other fields-->
            </condition>
        </drilldown>
      </table>
    </panel>

Please try out both options and confirm.
PS: you can also code drilldown to pick only the count field no matter which field is clicked, using the $row.count$ value.

        <drilldown>
            <eval token="tokClickedValue">case($row.component$!="Total",$row.count$)</eval>
        </drilldown>

Re: create a drill-down multiple condition

vshakur — Sun, 08 Apr 2018 07:38:28 GMT

Environment

Re: create a drill-down multiple condition

vshakur — Sun, 08 Apr 2018 09:55:02 GMT

The last one did the trick. Thanks.