Archive

$click.name2$ sending wrong text to linked search in chart drilldown

New Member

Hi...a newbie here. I've been absorbing training materials and looking through questions here but find myself stuck on something I'm hoping is easily fixed. I have a timechart using a search of unsightly error messages which I rename for readability on chart. When I click on a chart bar, the linked search page opens, however the search string uses the renamed values in my chart's query.

For example, when I click on the bar labelled 'DB-connection error' for some date, the search opened uses the renamed value ('DB-connection error') instead of the original string to be searched ('Error connecting to database'). Any help is much appreciated!

Thanks, Michelle

Linked search:
sourcetype="AA42127:OQL:bulk" DB-connection error earliest=1579820400 latest=1579906800

Graph panel source:

  <row>
    <panel>
      <title>FMDS Errors</title>
      <chart>
        <search>
          <query>sourcetype="AA42127:OQL:bulk" "(ADDRESS_LIST=(FAILOVER=on)" OR "Failed delivery for" OR "Error connecting to database" OR "Setup of JMS message listener invoker failed for destination" OR "moveFailed" OR "debulkStatusResult: Exception" OR "FileStatus=FAILED" OR "FMT-ERROR" OR "MsgDebulk filename in Error" OR "MsgDebulk generation failed" 
| timechart span=1d count(eval(match(_raw, "ADDRESS_LIST=*FAILOVER=on"))) as "ADDRESS_LIST_FAILOVER"  
count(eval(match(_raw, "Failed delivery for"))) as "Failed delivery"
count(eval(match(_raw, "Error connecting to database"))) as "DB-connection errror"
count(eval(match(_raw, "Setup of JMS message listener invoker failed for destination"))) as "JMS message listener invoker failed"
count(eval(match(_raw, "moveFailed"))) as "moveFailed"
count(eval(match(_raw, "debulkStatusResult: Exception"))) as "debulkStatusResult: Exception"
count(eval(match(_raw, "FileStatus=FAILED"))) as "FAILED FileStatus"
count(eval(match(_raw, "FMT-ERROR"))) as "FMT-ERROR"
count(eval(match(_raw, "MsgDebulk filename in Error"))) as "MsgDebulk Filename Error"  
count(eval(match(_raw, "MsgDebulk generation failed"))) as "MsgDebulk Generation Error"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <link target="_blank">search?q=sourcetype="AA42127:OQL:bulk" $click.name2$ earliest=$earliest$ latest=$latest$&amp;earliest=&amp;latest=</link>
        </drilldown>
      </chart>
    </panel>
  </row>
Tags (1)
0 Karma

SplunkTrust
SplunkTrust

@albertmi since you have normalized raw data match with your own pattern name, there is no raw data pattern value available for timechart drillown. During drilldown you would need to write <condition> blocks similar to the case statement you have, in order to thet the raw data match for your drilldown search.

For example if $click.name$ is Failed delivery, then the search query link will have value Failed delivery for sent as hard coded value as that is the reverse mapping of the case statement you have used to derive Failed delivery.
Final <condition> block without any match is the default condition when non of the patterns described are present in the
conditions. Similar default section should be applied to case() SPL as well using true() statement depending on the use case. If not required it can be removed.

    <drilldown>
      <condition match="$click.name2$==&quot;Failed delivery&quot;">
        <set token="tokClickedName">$click.name2$</set>
        <set token="tokRawDataClicked">Failed delivery for</set>
      </condition>
      <condition match="$click.name2$==&quot;DB-connection errror&quot;">
        <set token="tokClickedName">$click.name2$</set>
        <set token="tokRawDataClicked">Error connecting to database</set>
      </condition>
      <condition match="$click.name2$==&quot;JMS message listener invoker failed&quot;">
        <set token="tokClickedName">$click.name2$</set>
        <set token="tokRawDataClicked">Setup of JMS message listener invoker failed for destination</set>
      </condition>
      <condition>
        <set token="tokClickedName">$click.name2$</set>
        <set token="tokRawDataClicked">Other</set>
      </condition>
    </drilldown>

Following is a run anywhere example with 3 values from your case statement. PS: You can try using lookup file for this mapping and make the output dynamic, both for case() in SPL and drilldown <condition>.

PS: searchmatch() function can be used instead of match() when querying _raw data.

<dashboard>
  <label>Drilldown token</label>
  <row>
    <panel>
      <title>FMDS Errors</title>
      <chart>
        <search>
          <query>| makeresults
| eval raw="Failed delivery for,Error connecting to database,Setup of JMS message listener invoker failed for destination,Failed delivery for,Error connecting to database,Failed delivery for,Error connecting to database"
| makemv raw delim=","
| mvexpand raw
| rename raw as _raw
| eval delta=300
| accum delta
| eval _time=_time-delta
| timechart span=5min count(eval(match(_raw, "Failed delivery for"))) as "Failed delivery"
 count(eval(searchmatch("Error connecting to database"))) as "DB-connection errror"
 count(eval(searchmatch("Setup of JMS message listener invoker failed for destination"))) as "JMS message listener invoker failed"</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <drilldown>
          <condition match="$click.name2$==&quot;Failed delivery&quot;">
            <set token="tokClickedName">$click.name2$</set>
            <set token="tokRawDataClicked">Failed delivery for</set>
          </condition>
          <condition match="$click.name2$==&quot;DB-connection errror&quot;">
            <set token="tokClickedName">$click.name2$</set>
            <set token="tokRawDataClicked">Error connecting to database</set>
          </condition>
          <condition match="$click.name2$==&quot;JMS message listener invoker failed&quot;">
            <set token="tokClickedName">$click.name2$</set>
            <set token="tokRawDataClicked">Setup of JMS message listener invoker failed for destination</set>
          </condition>
          <condition>
            <set token="tokClickedName">$click.name2$</set>
            <set token="tokRawDataClicked">Other</set>
          </condition>
        </drilldown>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        tokRawDataClicked: $tokRawDataClicked$<br/></br>
        tokClickedName: $tokClickedName$
      </html>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma