All Apps and Add-ons

Inline drilldown after a chart command

iKate
Builder

Hi!
Can you please suggest how to make a table drilldown by clicking on a cell resulted from the following command:

| chart count by range column

alt text

I've tried almost all variants from sideview app's page on drilldowns but found no proper one.

At first I just wanted to have the same experience as you get when selecting in flashtimeline any cell of results: you wil be redirected to a new flashtimeline and the search will be modified by dropping the last resulting command and adding search by two parameters you selected: ...| search range="1-14" column="2) 2-4"

At first I wanted to use converttodrilldownsearch

<module name="SimpleResultsTable" autoRun="True">
    <param name="drilldown">row</param>
    <param name="entityName">results</param>
    <param name="count">100</param>
    <module name="ConvertToDrilldownSearch">
       <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
          <param name="popup">True</param>
       </module>
    </module>
 </module>

But it took just the value of a row (range="1-14") but not a column.

Then I decided to make inline drilldown with sideview utils

<module name="Pager">
  <module name="Table">
    <module name="Search">
       <param name="search">
        ...| search range="$row.fields.range$" column="$row.fields.column$"

But $row.fields.column$ cannot be defined.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Take a look at http://answers.splunk.com/answers/129540/only-pass-one-value-for-a-drilldown-when-clicking-on-a-tabl...

You're not getting $row.fields.column$ because there's no field called column in your table. What you need is a token referring to the column name, and the Sideview Utils Table module doesn't provide that (yet?). Switching to the standard SimpleResultsTable module will give you the $click.name2$ token that refers to the name of the column the user clicked on.

<module name="SimpleResultsTable">
  <param name="drilldown">all</param>
  <module name="Search">
    <param name="search">
    ...| search range="$click.value$" column="$click.name2$"

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Take a look at http://answers.splunk.com/answers/129540/only-pass-one-value-for-a-drilldown-when-clicking-on-a-tabl...

You're not getting $row.fields.column$ because there's no field called column in your table. What you need is a token referring to the column name, and the Sideview Utils Table module doesn't provide that (yet?). Switching to the standard SimpleResultsTable module will give you the $click.name2$ token that refers to the name of the column the user clicked on.

<module name="SimpleResultsTable">
  <param name="drilldown">all</param>
  <module name="Search">
    <param name="search">
    ...| search range="$click.value$" column="$click.name2$"

iKate
Builder

@sideview thanks in advance! It will add consistency to sideview's cool drilldown capabilities.

0 Karma

iKate
Builder

Thanks, Martin!! I've forgotten about drilldown's option 'all' and tried to do the same with 'row', sure it was no result with click.name/value2 )

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I've just hacked it in when needed 😛

0 Karma

sideview
SplunkTrust
SplunkTrust

That's correct - the Table module still doesn't have the equivalent of the SimpleResultsTable module's "all" drilldown mode, where it shows highlighting and allows selection of both a row and a column and provides drilldown tokens for both. For the first few years Sideview Utils users seemed quite content without this feature! Anyway, these days people as for it fairly regularly so I'll bump up its priority and get it out in a future version. In the meantime - just use SimpleResultsTable if you need this one feature and if you can do without the Table module's other features.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...