All Apps and Add-ons

having trouble with custom drilldowns in advanced XML

Communicator

I am using advance-xml to design a fairly simple dash - at the top of the first panel is a TextField (for AccountNumber), and a PullDown (for eventtype). Following this setup, I have a SubmitButton which is followed by a FlashTimeline.

A Search between the SubmitButton and the FlashTimeline is structured to show a table with the following fields: _time, MsgType, Info, Error

Following the FlashTimeline is a SimpleResultsTable with param-drilldown=row

Following the SimpleResultsTable, I want to put an EventsViewer displaying the actual (_raw) event when a certain row of the SimpleResultsTable is clicked. But I can't seem to find a solution. At the moment, when I click on any row of the SimpleResultsTable, all events are displayed; so I thought, maybe I needed to specify a _time value in either a PostProcess or HiddenSavedSearch. When I tried using a PostProcess to redefine the results (ie. search _time=$click.value$), I continue to receive all events. When I tried using HiddenSavedSearch, nothing is displayed - and the reason being the AccountNumber and eventtype from above weren't properly replaced in the search. I finally figured out this issue by disabling the EventsViewer and temporarily redirecting to a flashtimeline (view). Upon realizing the issue with HiddenSavedSearch, I began an attempt to use ConvertToIntention (etc.), but to no avail because neither the TextField nor the PullDown supports the "settingToCreate" param.

So finally, I've decided. This should be a pretty common requirement. So I'm throwing this up on the board. Any assistance is greatly appreciated. Am I missing something here?

1 Solution

SplunkTrust
SplunkTrust

First, when setting up inline drilldowns, I will usually put a temporary HTML module in there to print out the keys. Only once I have a good handle on things will I start putting in the elements for the next layer, like Redirector, or EventsViewers and headers.

For example, to see what $click.value$, and the timerange, and a pulldown value like 'clientip' look like, you can put this in below your SimpleResultsTable:

<module name="HTML">
  <param name="html"><![CDATA[
    DEBUGGING: <br>
    clientip.rawValue = $clientip.rawValue$<br>
    clientip (templated) = $clientip$<br>
    <br>
    click.value (table click) = $click.value$<br>
    <br>
    search.timeRange.earliest = $search.timeRange.earliest$<br>
    search.timeRange.latest   = $search.timeRange.latest$<br>
  ]]></param>
</module>

To set up the inline drilldown from the SimpleResultsTable to the EventsViewer, underneath your SimpleResultsTable, you need to have:

1) another Search module or a PostProcess module there, nested inside the SimpleResultsTable .

2) That Search or PostProcess module needs to have that EventsViewer module nested inside it.

3) make sure you're using $click.value$ in that search, or in that postprocess somewhere, and make sure that the way you're using it will restrict the results in the way you intend.

If the click results in the entire search result set displaying in the EventsViewer, I'm thinking either #1, #2 or #3 are not happening the way you think.

Also, you definitely do not want to do _time=$click.value$. The _time stuff will happen automatically; actually it's the SimpleResultsTable and FlashChart modules that do this at the point when they get clicked. You can verify this by printing out the timerange values below them using an HTML module (as in the above snippet).


UPDATE: Some More Notes:

It sounds to me like the rows in the SimpleResultsTable are basically the events in a condensed view, and you want to have the EventsViewer beneath show the full single event (btw it would be quite helpful if you could post the actual XML either inline or using something like pastebin). If so, this is unfortunately a very advanced thing to do in the Splunk UI. But read on.

The "_time" field is handled automatically, and it is always an epochtime value, meaning it's a number of seconds since 1/1/1970. However the SimpleResultsTable module and EventsViewer module special-case time to make it appear as a localized string. Therefore if you try to get the time value using $click.value$, you'll get that localized string, and obviously in this case that is not very useful. However the presence of the SideviewUtils module in this view also forces SimpleResultsTable provide a lot more keys, for any column called 'foo' in a SimpleResultsTable, when SideviewUtils is present in the view, you can also retreive $click.fields.foo$. AND, I didnt write this into the docs, generally when _time is there you can also get $click.fields.epochTime$, and that's the raw epochTime value that you can make use of here.

Now, the questions are whether to use it, and how to use it.

Whether to use it:

If my assumption is wrong, and the rows in your SimpleResultsTable are actually transformed rows and not events, ie you have a stats or a bin or a chart or timechart in the search generating the table's rows, NO - do not do anything. The SimpleResultsTable will provide the restricted timerange to the modules inside it automatically. Just put your headers and EventsViewer directly inside the SimpleResultsTable and you're done.

If the Table is showing rows that are still 'events' in principle - meaning that each _time value is the _time value of one single event, then the table will pick up on _time, and since one time bound does not make a valid time range, it takes a wild guess at what timerange it should provide downstream -- it will restrict the timerange to either the second or the minute that the event occured (I forget which). Neither of these are surefire, and I think if your events are super dense there can be many in the same minute or even in the same second; this may be what's happening when you say you get 'all' of the events shown onclick.

If that sounds likely, then to narrow the events down, you could put in a PostProcess module, and have the search be

search _time=$click.fields.epochTime$ 

and that would narrow it down to the exact second and millisecond. However events commonly appear in the same second so even this is not a surefire way to get down to a single event in all cases.....

Which brings me to the notorious _cd field. In theory, if you provided the _cd field, renamed as 'eventId' to make it visible in the table, and you referred to it as $click.fields.eventId$, you could in theory do a PostProcess module with :

search eventId="$click.fields.eventId$"

But this has gone from 'very advanced' to 'extremely advanced' and there are pitfalls...

View solution in original post

SplunkTrust
SplunkTrust

If I may suggest a title for this question, you could try something like "having trouble with custom drilldowns in advanced XML."

0 Karma

SplunkTrust
SplunkTrust

First, when setting up inline drilldowns, I will usually put a temporary HTML module in there to print out the keys. Only once I have a good handle on things will I start putting in the elements for the next layer, like Redirector, or EventsViewers and headers.

For example, to see what $click.value$, and the timerange, and a pulldown value like 'clientip' look like, you can put this in below your SimpleResultsTable:

<module name="HTML">
  <param name="html"><![CDATA[
    DEBUGGING: <br>
    clientip.rawValue = $clientip.rawValue$<br>
    clientip (templated) = $clientip$<br>
    <br>
    click.value (table click) = $click.value$<br>
    <br>
    search.timeRange.earliest = $search.timeRange.earliest$<br>
    search.timeRange.latest   = $search.timeRange.latest$<br>
  ]]></param>
</module>

To set up the inline drilldown from the SimpleResultsTable to the EventsViewer, underneath your SimpleResultsTable, you need to have:

1) another Search module or a PostProcess module there, nested inside the SimpleResultsTable .

2) That Search or PostProcess module needs to have that EventsViewer module nested inside it.

3) make sure you're using $click.value$ in that search, or in that postprocess somewhere, and make sure that the way you're using it will restrict the results in the way you intend.

If the click results in the entire search result set displaying in the EventsViewer, I'm thinking either #1, #2 or #3 are not happening the way you think.

Also, you definitely do not want to do _time=$click.value$. The _time stuff will happen automatically; actually it's the SimpleResultsTable and FlashChart modules that do this at the point when they get clicked. You can verify this by printing out the timerange values below them using an HTML module (as in the above snippet).


UPDATE: Some More Notes:

It sounds to me like the rows in the SimpleResultsTable are basically the events in a condensed view, and you want to have the EventsViewer beneath show the full single event (btw it would be quite helpful if you could post the actual XML either inline or using something like pastebin). If so, this is unfortunately a very advanced thing to do in the Splunk UI. But read on.

The "_time" field is handled automatically, and it is always an epochtime value, meaning it's a number of seconds since 1/1/1970. However the SimpleResultsTable module and EventsViewer module special-case time to make it appear as a localized string. Therefore if you try to get the time value using $click.value$, you'll get that localized string, and obviously in this case that is not very useful. However the presence of the SideviewUtils module in this view also forces SimpleResultsTable provide a lot more keys, for any column called 'foo' in a SimpleResultsTable, when SideviewUtils is present in the view, you can also retreive $click.fields.foo$. AND, I didnt write this into the docs, generally when _time is there you can also get $click.fields.epochTime$, and that's the raw epochTime value that you can make use of here.

Now, the questions are whether to use it, and how to use it.

Whether to use it:

If my assumption is wrong, and the rows in your SimpleResultsTable are actually transformed rows and not events, ie you have a stats or a bin or a chart or timechart in the search generating the table's rows, NO - do not do anything. The SimpleResultsTable will provide the restricted timerange to the modules inside it automatically. Just put your headers and EventsViewer directly inside the SimpleResultsTable and you're done.

If the Table is showing rows that are still 'events' in principle - meaning that each _time value is the _time value of one single event, then the table will pick up on _time, and since one time bound does not make a valid time range, it takes a wild guess at what timerange it should provide downstream -- it will restrict the timerange to either the second or the minute that the event occured (I forget which). Neither of these are surefire, and I think if your events are super dense there can be many in the same minute or even in the same second; this may be what's happening when you say you get 'all' of the events shown onclick.

If that sounds likely, then to narrow the events down, you could put in a PostProcess module, and have the search be

search _time=$click.fields.epochTime$ 

and that would narrow it down to the exact second and millisecond. However events commonly appear in the same second so even this is not a surefire way to get down to a single event in all cases.....

Which brings me to the notorious _cd field. In theory, if you provided the _cd field, renamed as 'eventId' to make it visible in the table, and you referred to it as $click.fields.eventId$, you could in theory do a PostProcess module with :

search eventId="$click.fields.eventId$"

But this has gone from 'very advanced' to 'extremely advanced' and there are pitfalls...

View solution in original post

SplunkTrust
SplunkTrust

No problem. Glad to help.

0 Karma

Communicator

and you are right about the _time. Sometimes I will get 2 or more events returned because epochTime is the same for those events. I will try using eventID...

thanks nick

0 Karma

Communicator

thanks for the help, you are absolutely correct, using

search _time=$click.fields.epochTime$

helps tremendously.

furthermore, I have found the sideview console helpful as well. instead of ?showsource=true, I used ?showsvconsole=1... ofcourse I needed the sideview app to begin with

0 Karma

SplunkTrust
SplunkTrust

Added a lot more notes to my answer under 'UPDATE'. If you're trying to do what I think you're trying to do, it's possible but very tricky. Posting your actual XML would help.

0 Karma

Communicator

thanks for the tips.

So now I know what $click.value$ is when i click a row from my SimpleResultsTable; its a timestamp in a format, for example "2/25/11 10:42:12.195 AM"

So how should I be changing my search string so that only the selected row is displayed in the following EventsViewer?

Or perhaps $click.value$ isn't even the value I should be using, since you say not to use _time=$click.value$
?

0 Karma