Dashboards & Visualizations

Drilldown chart for each result

khanlarloo
Explorer

Hi
if i want to say if index=a then go to specific page how can i say ?
my query is :
index= a or index=b | stats count by index
i using bar chart
when it shows b and then i click on b go to my savedsearch and the same for a.

Tags (1)
0 Karma
1 Solution

Sukisen1981
Champion

Hi you have to provide the link - this might take you to a external website or another dashboard.
Try this as is code snippet built on the _audit index, which will run be default.
Here I am clicking the chart column and a new window opens up re-directing me to the splunk answers page with the field value in this case.

<dashboard>
  <label>tes</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_audit"
| stats count by info</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <drilldown target="My New Window">

        <link><![CDATA[http://answers.splunk.com/search.html?q=$click.value$]]></link>
</drilldown>
      </chart>
    </panel>
  </row>

</dashboard>

Refer here for all the default click options available.https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/PanelreferenceforSimplifiedXML#Predefined_dri...

you need to re-direct the web page to a second dashboard url. Your code is almost correct, but the token you have used (or any drill down token you use) is a part of the redirect url. So, in the example above - http://answers.splunk.com/search.html?q=$click.value$
I am going to splunk answers AND then searching for answers with the click value token(clicked field value) in my case.For example if i click on on the 'completed' bar the redirected window in splunk answers looks like this - https://answers.splunk.com/search.html?q=completed
The clicked value(q=completed) is passed dynamically based on user choice..

Hope this helps

View solution in original post

0 Karma

niketn
Legend

@khanlarloo $latest$ for drilldown from timechart does not work as expected. So $row._span$ needs to be added to $row._time$ field to get latest time. Refer to one of my recent answers: https://answers.splunk.com/answers/740294/need-help-doing-drilldown-from-linechart.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@khanlarloo do up-vote the answer if it helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Sukisen1981
Champion

Hi - in your drill down condition add the following, do not overwrite but just add the tokens to capture the time values -

 <drilldown>
             <set token="tok_ear">$earliest$</set>
             <set token="tok_lat">$latest$</set>
<link>
          <![CDATA[<your dashboard form url>form._earliest=$earliest$&form._latest=$latest$]]>

        </link>
   </drilldown>

There are many similar answers already available , I realise that you are probably new to splunk but try googling out answers, which might already contain what you are looking for 🙂
Here are a couple of already answered questions that are very similar.

https://answers.splunk.com/answers/438520/how-to-pass-time-range-values-in-a-drilldown.html
https://answers.splunk.com/answers/210758/how-to-create-a-drilldown-to-pass-time-to-timerang.html
and hetre is the splunk docs reference on delivered tokens
https://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#single_.28even...

0 Karma

khanlarloo
Explorer

i reed this and i do it but didn't work, i don't know where is my mistake

0 Karma

khanlarloo
Explorer

main Dashboard

  <title>Success Login ON  Devices</title>
  <chart>
    <search>
      <query>(index="fortigate" OR index="fortiweb" subtype=system status=success) |stats count by index  </query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
      <condition field="fortigate">
        <set token="tok_ear">$earliest$</set>
        <set token="tok_lat">$latest$</set>
       <link target="_blank" > 
         <![CDATA[/app/search/Success_login_on_fortigate?form._earliest=$earliest$&form._latest=$latest$]]>
       </link>
     </condition>
0 Karma

Sukisen1981
Champion

Hi ,
There are 2 steps here -
Please use the as is snippets given below , built on the _audit index
test1 - main dashboard

 <form>
      <label>test1</label>
      <fieldset submitButton="false">
        <input type="time" token="field1">
          <label></label>
          <default>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </default>
        </input>
      </fieldset>
      <row>
        <panel>
          <chart>
            <search>
              <query>index="_audit"
    | stats count by info</query>
              <earliest>$field1.earliest$</earliest>
              <latest>$field1.latest$</latest>
            </search>
            <option name="charting.chart">column</option>
            <option name="charting.drilldown">all</option>
            <drilldown target="My New Window">
              <set token="tok_ear">$field1.earliest$</set>
              <set token="tok_lat">$field1.latest$</set>
              <link>
                <![CDATA[/app/search/tes1?form.field1.earliest=$tok_ear$&form.field1.latest=$tok_lat$]]>
              </link>
            </drilldown>
          </chart>
        </panel>
      </row>
    </form>

test2 - second dashboard

<dashboard>
  <label>test2</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_audit"
| stats count by action</query>
          <earliest>$form.field1.earliest$</earliest>
          <latest>$form.field1.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</dashboard>

Test1 runs on the field info from the audit index in the chart panel
which looks like this :

<row>
    <panel>
      <chart>
        <search>
          <query>index="_audit"
| stats count by info</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <drilldown target="My New Window">
          <set token="tok_ear">$field1.earliest$</set>
          <set token="tok_lat">$field1.latest$</set>
          <link>
            <![CDATA[/app/search/tes1?form.field1.earliest=$tok_ear$&form.field1.latest=$tok_lat$]]>
          </link>
        </drilldown>
      </chart>
    </panel>
  </row>

I define the earliest and latest times just after the stats command in the search query, Then in drilldown I capture the tokens in tok_ear and tok_lat. lastly I pass the time tokens in the link -

 <![CDATA[/app/search/tes1?form.field1.earliest=$tok_ear$&form.field1.latest=$tok_lat$]]>

In the test 2 dashboard all I do is pass the earliest and latest tokens captured from test1

<earliest>$form.field1.earliest$</earliest>
          <latest>$form.field1.latest$</latest>

Since, I had set $form.field1.earliest$ and $form.field1.latest$ while passing the url in the link. I use the same tokens to set the time range in test2.

0 Karma

khanlarloo
Explorer

Thank You so mush,i was really confused.you help me very much.

0 Karma

Sukisen1981
Champion

Hi can you please paste your simple xml code?

0 Karma

Sukisen1981
Champion

Hi you have to provide the link - this might take you to a external website or another dashboard.
Try this as is code snippet built on the _audit index, which will run be default.
Here I am clicking the chart column and a new window opens up re-directing me to the splunk answers page with the field value in this case.

<dashboard>
  <label>tes</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_audit"
| stats count by info</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <drilldown target="My New Window">

        <link><![CDATA[http://answers.splunk.com/search.html?q=$click.value$]]></link>
</drilldown>
      </chart>
    </panel>
  </row>

</dashboard>

Refer here for all the default click options available.https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/PanelreferenceforSimplifiedXML#Predefined_dri...

you need to re-direct the web page to a second dashboard url. Your code is almost correct, but the token you have used (or any drill down token you use) is a part of the redirect url. So, in the example above - http://answers.splunk.com/search.html?q=$click.value$
I am going to splunk answers AND then searching for answers with the click value token(clicked field value) in my case.For example if i click on on the 'completed' bar the redirected window in splunk answers looks like this - https://answers.splunk.com/search.html?q=completed
The clicked value(q=completed) is passed dynamically based on user choice..

Hope this helps

0 Karma

khanlarloo
Explorer

thanks.it works. now i have another question:
i have time token in my main dashboard,when i choos specific time range when i click on chart value it goes to other dashboard with other time range,i want to show the result base on my time range on main dashboard how can i do that?

0 Karma

Sukisen1981
Champion

Hi , I am converting my comment to an answer, please accept it if it resolved your issue. I will post an answer to your add on question as well

0 Karma

Sukisen1981
Champion

Hi, you have to modify the simple xml in the dashboard, refer here https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/DrilldownIntro#Chart_navigation_and_selection...
Refer section - Choose a drilldown action
Depending on whether you want to go to a webpage or second dashboard you need to modify the simple xml code accordingly.

0 Karma

khanlarloo
Explorer

i read this but i didn't understand.
my xml code is :

<panel>
  <title>Failed Login ON Devices</title>
  <chart>
    <search>
      <query>(index="fortigate" OR index="fortiweb" subtype=system status=failed) OR (index="cisco" mnemonic=LOGIN_FAILED)|stats count by index  |rename index as Host | transpose header_field="Host" column_name="Host"|  reverse</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.text">Host</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.text">Count</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">bar</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <drilldown> 
     <condition field="Host">
      <link>$click.value2$</link>
     </condition>
    </drilldown>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">top</option>
    <option name="charting.fieldColors">{"fortigate": 0x68d112, "fortiweb":0x42db2b, "cisco":0x12c7db}</option>
  </chart>
</panel>
0 Karma

khanlarloo
Explorer

can you help?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...