All Apps and Add-ons

What is the best approach to have an XML dashboard timechart drilldown convert the macro to raw search and have drilldown chart click value still be implemented?

ho000dor
Explorer

Hello,

Problem #1 viewredirectorlink
ViewRedirectorLink only shows up when i click on something in the chart

Problem #2: onclick
What's the best approach to have the drilldown convert the macro to raw search and have the drilldown chart click value still be implemented - 'Time' and 'Field' drill-down Content would would be ideal.

The current set up below does convert the macro to raw search. However, if a user clicks on the bar in the chart, it redirects with the count value. This is not helpful and often times yields 0 results if the count has increased.

<module name="HiddenSavedSearch" layoutPanel="panel_row3_col1" group="test1" autoRun="True">
  <param name="useHistory">auto</param>
  <param name="savedSearch">savedSEARCHwithMACRO1</param>
  <module name="HiddenChartFormatter">
    <param name="charting.legend">legend</param>
    <param name="charting.legend.labelStyle.maximumWidth">500</param>
    <param name="charting.legend.labelStyle.minimumWidth">500</param>
    <param name="charting.chart.stackMode">stacked</param>
    <param name="charting.legend.placement">right</param>
    <param name="charting.chart">column</param>
    <param name="charting.legend.labelStyle.defaultTextFormat">{font:Arial,size:09}</param>
    <param name="charting.fieldColors">{"NothingToReport":0x00FF00}</param>
    <module name="JobProgressIndicator"/>

    <module name="FlashChart">
      <param name="height">250px</param>
      <module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
        <param name="search"><![CDATA[`MACRO1`]]></param>
        <param name="earliest">-2h</param>
        <module name="ConvertToDrilldownSearch">
          <module name="ViewRedirectorLink">
            <param name="popup">True</param>
            <param name="viewTarget">flashtimeline</param>
            <param name="label">All Results</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

I have also used the sideview html modules but i'm not sure how or if it could convert the macro to raw search.

0 Karma

sideview
SplunkTrust
SplunkTrust

The XML you posted is using core-splunk-only modules. The reason I think is that the old Splunk "intentions" system has a side-effect of expanding all macros. While this is usually an unwanted side effect in your case you need this behavior.

Speaking just to this pure-splunk-module solution, I would try removing that second HiddenSearch module:

<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
  <param name="search"><![CDATA[`MACRO1`]]></param>
  <param name="earliest">-2h</param>

Or at least remove its "search" param. Also remove the autoRun="True" because if it's having any effect, that attribute will be creating nasty bugs.

Basically, the old ConvertToDrilldownSearch module should be able to incorporate the chart drilldown tokens from the click just fine, and it should do it all without the need for a second HiddenSearch module. Removing that Search module might be all you need to fix this.

In Sideview Utils of course you would use SavedSearch instead of HiddenSavedSearch, Search instead of HiddenSearch and Redirector and Link and so and so forth. However, nothing in Sideview Utils has that side effect of expanding macros, and previously I've written customBehavior to do the expansion when necessary.

I could fairly easily add a $foo$ token to Sideview utils though. To expand all the macros ultimately you need to take the job's eventSearch property and tack on the commands from the reportSearch property, if there are any. There is already a $results.eventSearch$ token so this should be fairly easy to add and then people can use it in complex drilldown cases like this.

0 Karma

sideview
SplunkTrust
SplunkTrust

Note - in Sideview Utils 3.3.1, released Dec 1 2014, there is now a $results.expandedSearch$ token that you can use in Sideview modules, and that will reflect the current search string with macros expanded. The "overview of custom $foo$ tokens" page in the Sideview docs will tell you how to use it safely.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...