All Apps and Add-ons

How to set a default value for a token with In-Page Contextual Drilldown

steverazor
Explorer

Greetings fellow splunkers 🙂

I am trying to get a dashboard that will have two charts on it. The top chart will show monthly counts and the bottom chart will show daily counts for the most recent month from the top chart when the dashboard is first loaded, and then show the daily counts for the month that is clicked for the drilldown action.

I used the example dashboard "In-Page Drilldown with Perma-linking" as a reference and I'm close to what I want, but not quite there.

The way that the example works is that the second chart is hidden until something is chosen from the top chart. What I want to have is both charts displayed when the page loads and have the second chart use the most recent month that is returned in the top chart to drive the results.

I have it working to the point where the top chart will display properly, but the bottom chart sits at "Search is waiting for input" until a month is selected from the top chart. The "In-Page Drilldown with Perma-linking" uses the "depends" tag to hide the second chart until something is chosen from the top chart. This is NOT what I want. What I want is for the bottom "Daily" chart to show the values for the most recent month that is returned in the top "Monthly" chart when the dasboard is first loaded.

What I am looking for is a way to set the value of the token being used to drive the bottom "Daily" chart to be the last month that is returned in the top "Monthly" chart. If there is a different approach that I should be using to achieve my goal I'm open to changing things.

Here is the simpleXML from my dashboard as it stands now. I am using version 6.1.1. Any help is much appreciated!

<dashboard>
  <input type="text" token="Month_var" searchWhenChanged="true"/>
  <label>Contextual Drilldown Simple</label>
  <description/>
  <row>
    <panel>
      <chart>
        <title>Monthly</title>
        <searchString>index=mytestidx1 sourcetype=myteststats | eval Month=strftime(_time,"%Y-%m") | eval Process_Time=(time_thing_end-time_thing_start) | chart count(eval(Process_Time&gt;20)) AS &gt;_20_seconds, count(eval(Process_Time&gt;10 AND Process_Time&lt;=20)) AS 20_seconds, count(eval(Process_Time&gt;5 AND Process_Time&lt;=10)) AS 10_seconds, count(eval(Process_Time&lt;=5)) AS 5_seconds by Month</searchString>        
        <option name="charting.chart">column</option>
        <drilldown>
          <set token="Month_var">$row.Month$</set>
          <set token="form.Month_var">$row.Month$</set>
        </drilldown>        
        <option name="charting.chart.stackMode">stacked</option>        
        <option name="charting.drilldown">all</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Daily</title>
        <searchString>index=mytestidx1 sourcetype=myteststats | eval Day=strftime(_time,"%d") | where strftime(_time,"%Y-%m")="$Month_var$"  | eval Process_Time=(time_thing_end-time_thing_start) | chart count(eval(Process_Time&gt;20)) AS &gt;_20_seconds, count(eval(Process_Time&gt;10 AND Process_Time&lt;=20)) AS 20_seconds, count(eval(Process_Time&gt;5 AND Process_Time&lt;=10)) AS 10_seconds, count(eval(Process_Time&lt;=5)) AS 5_seconds by Day</searchString>
        <option name="charting.axisTitleX.text">Days in Month: $Month_var$</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>        
      </chart>
    </panel>
  </row>
</dashboard>

bnorthway_splun
Splunk Employee
Splunk Employee
0 Karma

akazarov
Path Finder

Hi,

I have partially similar issue - in-page drilldown between two charts, each providing a token for search for another chart. The problem is that splunk does not allow to define an initial or default value for a token which could be used before a chart is clicked. To overcome this, I created two input fields which provide tokens with exactly the same IDs as do the drilled-down charts:

   <input type="text" token="application">
      <label>application</label>
      <seed>*</seed>
    </input>
    <input type="text" token="msgid">
      <label>message</label>
      <seed>*</seed>
    </input>

   <chart>
      <searchString>index=ers $partition$ | search msgID=$msgid$ | top limit=20 app</searchString>
      <drilldown>
        <set token="application">$row.app$</set>
      </drilldown>
    </chart>

   <chart>
      <searchString>index=ers $partition$ | search app=$application$ | stats count by msgID</searchString>
      <drilldown>
        <set token="msgid">$row.msgID$</set>
      </drilldown>
</chart>

The result: chart searches have all valid tokens when page is loaded, so the charts are filled and displayed nicely, and then tokens are updated when user selects elements in charts.

The "artificial" input fields are hidden after saving the form in .html. For splunk: it would be nice to have this option in simple .xml.
The only drawback is that one needs to reload the page to get back the default values in charts.

Hope this helps.

steverazor
Explorer

This has sat long enough without a response, so I figured I would add an update in case anybody else is encountering similar problems.

I was able to use the ValueSetter module in Sideview Utils to set a $foo$ variable and use that variable in other modules downstream. I'm still having a lot of other problems, but I can at least assign a value to a $foo$ variable and use it elsewhere. I had to completely rewrite the dashboard as a view and use Sideview Utils as I don't think what I am trying to achieve is possible in SimpleXML. If anybody can prove otherwise, I'd love to see it!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...