Solved: How to retrieve the events based on the selected ...

rajeswariramar · ‎01-04-2018

Hey,

I am trying to retrieve the events based on the selected values from the Statistics table

IBD TOTAL SUCCESS FALED MAXRESPONSE MINRESPONSE AVGRESPONSE
IBD1 1149 1149 0 19432 693 1772.423847

IBD2 250 230 20 16532 18 2382.612000
IBD3 161 161 0 13801 741 1950.329193
IBD4 129 128 1 7395 45 2132.674419

IBD5 113 113 0 6324 825 1728.646018

index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS

For Example if I select the MinResponse Value for the IBD1, it should return that particular event alone instead of returns all the Events listed under IBD1.

Is it possible to retrieve the events based on the selected values.

kamlesh_vaghela · ‎01-05-2018

Hi @rajeswariramar,

In your you can achieve your requirement by adding cell level drilldown in table view.
Add below drilldown code in your table view.

Can you please try below code?

<table>
    <search>
        <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
        <condition field="IBD">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="TOTAL">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="SUCCESS">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="FALED">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status!="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MAXRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MINRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="AVGRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
    </drilldown>
</table>

Note: I have hard coded last 24 hrs in timestamp. So replace it with your token.

Thanks
Kamlesh

View solution in original post

mayurr98 · ‎01-05-2018

hey you can achieve this by drill-down method!

Copy this XML into a new dashboard and see if you get the desired results!

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="IBD">$row.IBD$</set>
          <set token="TimeTaken">$row.MINRESPONSE$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* sourcetype=VM_STATS IBD=$IBD$ TimeTaken=$TimeTaken$</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Let me know if this helps you!

kamlesh_vaghela · ‎01-05-2018

Hi @rajeswariramar,

In your you can achieve your requirement by adding cell level drilldown in table view.
Add below drilldown code in your table view.

Can you please try below code?

<table>
    <search>
        <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
        <condition field="IBD">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="TOTAL">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="SUCCESS">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="FALED">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status!="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MAXRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MINRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="AVGRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
    </drilldown>
</table>

Note: I have hard coded last 24 hrs in timestamp. So replace it with your token.

Thanks
Kamlesh

rajeswariramar · ‎01-05-2018

Thank u.. its working now ..

kamlesh_vaghela · ‎01-05-2018

Glad to help you.

How to retrieve the events based on the selected values from the Statistics table

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk