Solved: Re: Drilldown chart for each result

khanlarloo · ‎05-04-2019

Hi
if i want to say if index=a then go to specific page how can i say ?
my query is :
index= a or index=b | stats count by index
i using bar chart
when it shows b and then i click on b go to my savedsearch and the same for a.

Sukisen1981 · ‎05-05-2019

Hi you have to provide the link - this might take you to a external website or another dashboard.
Try this as is code snippet built on the _audit index, which will run be default.
Here I am clicking the chart column and a new window opens up re-directing me to the splunk answers page with the field value in this case.

<dashboard>
  <label>tes</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_audit"
| stats count by info</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <drilldown target="My New Window">

        <link><![CDATA[http://answers.splunk.com/search.html?q=$click.value$]]></link>
</drilldown>
      </chart>
    </panel>
  </row>

</dashboard>

Refer here for all the default click options available.https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/PanelreferenceforSimplifiedXML#Predefined_dri...

you need to re-direct the web page to a second dashboard url. Your code is almost correct, but the token you have used (or any drill down token you use) is a part of the redirect url. So, in the example above - http://answers.splunk.com/search.html?q=$click.value$
I am going to splunk answers AND then searching for answers with the click value token(clicked field value) in my case.For example if i click on on the 'completed' bar the redirected window in splunk answers looks like this - https://answers.splunk.com/search.html?q=completed
The clicked value(q=completed) is passed dynamically based on user choice..

Hope this helps

View solution in original post

niketn · ‎05-05-2019

@khanlarloo $latest$ for drilldown from timechart does not work as expected. So $row._span$ needs to be added to $row._time$ field to get latest time. Refer to one of my recent answers: https://answers.splunk.com/answers/740294/need-help-doing-drilldown-from-linechart.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎05-06-2019

@khanlarloo do up-vote the answer if it helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Sukisen1981 · ‎05-05-2019

Hi - in your drill down condition add the following, do not overwrite but just add the tokens to capture the time values -

 <drilldown>
             <set token="tok_ear">$earliest$</set>
             <set token="tok_lat">$latest$</set>
<link>
          <![CDATA[<your dashboard form url>form._earliest=$earliest$&form._latest=$latest$]]>

        </link>
   </drilldown>

There are many similar answers already available , I realise that you are probably new to splunk but try googling out answers, which might already contain what you are looking for 🙂
Here are a couple of already answered questions that are very similar.

https://answers.splunk.com/answers/438520/how-to-pass-time-range-values-in-a-drilldown.html
https://answers.splunk.com/answers/210758/how-to-create-a-drilldown-to-pass-time-to-timerang.html
and hetre is the splunk docs reference on delivered tokens
https://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#single_.28even...

khanlarloo · ‎05-05-2019

i reed this and i do it but didn't work, i don't know where is my mistake

khanlarloo · ‎05-05-2019

main Dashboard

  <title>Success Login ON  Devices</title>
  <chart>
    <search>
      <query>(index="fortigate" OR index="fortiweb" subtype=system status=success) |stats count by index  </query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
      <condition field="fortigate">
        <set token="tok_ear">$earliest$</set>
        <set token="tok_lat">$latest$</set>
       <link target="_blank" > 
         <![CDATA[/app/search/Success_login_on_fortigate?form._earliest=$earliest$&form._latest=$latest$]]>
       </link>
     </condition>

Sukisen1981 · ‎05-05-2019

Hi ,
There are 2 steps here -
Please use the as is snippets given below , built on the _audit index
test1 - main dashboard

 <form>
      <label>test1</label>
      <fieldset submitButton="false">
        <input type="time" token="field1">
          <label></label>
          <default>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </default>
        </input>
      </fieldset>
      <row>
        <panel>
          <chart>
            <search>
              <query>index="_audit"
    | stats count by info</query>
              <earliest>$field1.earliest$</earliest>
              <latest>$field1.latest$</latest>
            </search>
            <option name="charting.chart">column</option>
            <option name="charting.drilldown">all</option>
            <drilldown target="My New Window">
              <set token="tok_ear">$field1.earliest$</set>
              <set token="tok_lat">$field1.latest$</set>
              <link>
                <![CDATA[/app/search/tes1?form.field1.earliest=$tok_ear$&form.field1.latest=$tok_lat$]]>
              </link>
            </drilldown>
          </chart>
        </panel>
      </row>
    </form>

test2 - second dashboard

<dashboard>
  <label>test2</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_audit"
| stats count by action</query>
          <earliest>$form.field1.earliest$</earliest>
          <latest>$form.field1.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</dashboard>

Test1 runs on the field info from the audit index in the chart panel
which looks like this :

<row>
    <panel>
      <chart>
        <search>
          <query>index="_audit"
| stats count by info</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <drilldown target="My New Window">
          <set token="tok_ear">$field1.earliest$</set>
          <set token="tok_lat">$field1.latest$</set>
          <link>
            <![CDATA[/app/search/tes1?form.field1.earliest=$tok_ear$&form.field1.latest=$tok_lat$]]>
          </link>
        </drilldown>
      </chart>
    </panel>
  </row>

I define the earliest and latest times just after the stats command in the search query, Then in drilldown I capture the tokens in tok_ear and tok_lat. lastly I pass the time tokens in the link -

 <![CDATA[/app/search/tes1?form.field1.earliest=$tok_ear$&form.field1.latest=$tok_lat$]]>

In the test 2 dashboard all I do is pass the earliest and latest tokens captured from test1

<earliest>$form.field1.earliest$</earliest>
          <latest>$form.field1.latest$</latest>

Since, I had set $form.field1.earliest$ and $form.field1.latest$ while passing the url in the link. I use the same tokens to set the time range in test2.

khanlarloo · ‎05-05-2019

Thank You so mush,i was really confused.you help me very much.

Sukisen1981 · ‎05-05-2019

Hi can you please paste your simple xml code?

Sukisen1981 · ‎05-05-2019

Hi you have to provide the link - this might take you to a external website or another dashboard.
Try this as is code snippet built on the _audit index, which will run be default.
Here I am clicking the chart column and a new window opens up re-directing me to the splunk answers page with the field value in this case.

<dashboard>
  <label>tes</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_audit"
| stats count by info</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <drilldown target="My New Window">

        <link><![CDATA[http://answers.splunk.com/search.html?q=$click.value$]]></link>
</drilldown>
      </chart>
    </panel>
  </row>

</dashboard>

Refer here for all the default click options available.https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/PanelreferenceforSimplifiedXML#Predefined_dri...

you need to re-direct the web page to a second dashboard url. Your code is almost correct, but the token you have used (or any drill down token you use) is a part of the redirect url. So, in the example above - http://answers.splunk.com/search.html?q=$click.value$
I am going to splunk answers AND then searching for answers with the click value token(clicked field value) in my case.For example if i click on on the 'completed' bar the redirected window in splunk answers looks like this - https://answers.splunk.com/search.html?q=completed
The clicked value(q=completed) is passed dynamically based on user choice..

Hope this helps

khanlarloo · ‎05-05-2019

thanks.it works. now i have another question:
i have time token in my main dashboard,when i choos specific time range when i click on chart value it goes to other dashboard with other time range,i want to show the result base on my time range on main dashboard how can i do that?

Sukisen1981 · ‎05-05-2019

Hi , I am converting my comment to an answer, please accept it if it resolved your issue. I will post an answer to your add on question as well

Sukisen1981 · ‎05-04-2019

Hi, you have to modify the simple xml in the dashboard, refer here https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/DrilldownIntro#Chart_navigation_and_selection...
Refer section - Choose a drilldown action
Depending on whether you want to go to a webpage or second dashboard you need to modify the simple xml code accordingly.

khanlarloo · ‎05-04-2019

i read this but i didn't understand.
my xml code is :

<panel>
  <title>Failed Login ON Devices</title>
  <chart>
    <search>
      <query>(index="fortigate" OR index="fortiweb" subtype=system status=failed) OR (index="cisco" mnemonic=LOGIN_FAILED)|stats count by index  |rename index as Host | transpose header_field="Host" column_name="Host"|  reverse</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.text">Host</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.text">Count</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">bar</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <drilldown> 
     <condition field="Host">
      <link>$click.value2$</link>
     </condition>
    </drilldown>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">top</option>
    <option name="charting.fieldColors">{"fortigate": 0x68d112, "fortiweb":0x42db2b, "cisco":0x12c7db}</option>
  </chart>
</panel>

khanlarloo · ‎05-04-2019

can you help?

Drilldown chart for each result

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor