Archive

Splunk Drill Down Option Issue

New Member

Hi ,

I am trying to create a dashboard for Error OR fail* from application logs. There are three hosts from where data is reporting to splunk instance.
Now i have run search query Error OR fail* and from output result created three dashboards in single.
1. Pie chart shows count for all hosts
2. Total Number of events that have Error or fail*
3. Events for all hosts that have Error or fail*

I have 1 dropbox as well which have all three hosts. I have defined a token value "drop_box" and pass that value in search of each dashboard. Now when i am selecting any host ,data from all three dashboard shown for that host only.

alt text

Now my requirement is , when i will click pie chart for a particular host, i should get the data for that host only but i am not getting this and it shows error "could not create search". below is code.

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

@kaushal21rajput,

Made the following changes to the dashboard.

  • Removed the host filter - you could uncomment the block if you still need it
  • Set the token on the click of pie and added the token to other rows

Try this and lets know whats missing.

<dashboard>
  <label>Error OR Fail</label>
  <!--
  <fieldset submitButton="false">
    <input type="dropdown" token="drop_down" searchWhenChanged="true">
     <label>Select host</label>
     <choice value="*">alll</choice>
     <choice value="blankrhel6">host1</choice>
     <choice value="searchhead">host2</choice>
     <choice value="tip">host3</choice>
     <fieldForLabel>here is output</fieldForLabel>
     <fieldForValue>check</fieldForValue>
     <default>*</default>
   </input>
  </fieldset>
  -->
  <row>
    <panel>
      <chart>
        <search>
          <query>Error OR Fail host=*| stats count by host</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <!-- SET THE TOKEN host_from_pie TO CLICKED VALUE OF PIE-->
        <drilldown>
          <set token="host_from_pie">$click.value$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <!-- Hide this once the user clicks on the pie chart -->
  <row rejects="$host_from_pie$">
    <html>
      <h5 align="center">Click on the pie to get details of host</h5>
    </html>
  </row>
  <row>
    <panel depends="$host_from_pie$"> <!-- ADDED A DEPENDENCY ON THE TOKEN SO THAT THE PANELS WILL BE DISPLAYED ONLY WHEN THE TOKEN IS SET -->
      <single>
        <title>Total Event</title>
        <search>
          <query>Error OR Fail host=$host_from_pie$ | stats count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">92</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel depends="$host_from_pie$"> <!-- ADDED A DEPENDENCY ON THE TOKEN SO THAT THE PANELS WILL BE DISPLAYED ONLY WHEN THE TOKEN IS SET -->
      <event>
        <search>
          <query>Error OR fail* host=$host_from_pie$</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="raw.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">none</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</dashboard>
0 Karma

SplunkTrust
SplunkTrust

@kaushal21rajput, does it work for you ?

0 Karma

New Member

Below is XML code-

Error or fail

<input type="dropdown" token="drop_down" searchWhenChanged="true">
  <label>Select host</label>
  <choice value="*">alll</choice>
  <choice value="blankrhel6">host1</choice>
  <choice value="searchhead">host2</choice>
  <choice value="tip">host3</choice>
  <fieldForLabel>here is output</fieldForLabel>
  <fieldForValue>check</fieldForValue>
  <search>
    <query>Error OR fail* | stats count by $drop_dowm$</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
  <default>*</default>
</input>


<panel>
  <chart>
    <search>
      <query>Error OR Fail host = $drop_down$| stats count by host</query>
      <earliest>0</earliest>
      <latest></latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.abbreviation">none</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.abbreviation">none</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.abbreviation">none</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.mode">standard</option>
    <option name="charting.legend.placement">right</option>
    <option name="charting.lineWidth">2</option>
    <option name="refresh.display">progressbar</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <drilldown>
      <link target="_blank">/app/search/error_or_fail?form.$drop_down$=$click.value$</link>
    </drilldown>
  </chart>
</panel>


<panel>
  <single>
    <title>Total Event</title>
    <search>
      <query>Error OR Fail host =$drop_down$ | stats count</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="drilldown">none</option>
    <option name="height">92</option>
    <option name="refresh.display">progressbar</option>
  </single>
</panel>


<panel>
  <event>
    <search>
      <query>Error OR fail* host="$drop_down$"</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="list.drilldown">none</option>
    <option name="list.wrap">1</option>
    <option name="raw.drilldown">none</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">none</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
  </event>
</panel>
0 Karma