Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dynamically refresh the data based on the hierarchical drill downs and vice versa. Please help.

splunklakshman
Explorer
‎02-23-2017 08:13 AM

Sample

<panel>
  <table>
    <title>Deals</title>
    <search>
      <query>index=_* OR index=* sourcetype=st_sample | stats count(Equipment_type) as Deals_Count  by Equipment_type</query>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <set token="Equipment_type">$click.value$</set>
    </drilldown>
  </table>
</panel>


<panel>
  <chart>
    <title>By State</title>
    <search>
      <query>index=_* OR index=* sourcetype=st_sample  Equipment_type="$Equipment_type$" | stats count(Equipment_type) as Deals_Count  by State </query>
    </search>
    <option name="charting.chart">bar</option>
    <drilldown>
      <set token="State">$click.value$</set>
    </drilldown>
  </chart>
</panel>
<panel>
  <chart>
    <title>By Region</title>
    <search>
      <query>index=_* OR index=* sourcetype=st_sample Equipment_type="$Equipment_type$"  State="$State$"   |  stats count(Equipment_type) as Deals_Count  by Region   </query>
    </search>
    <option name="charting.chart">bar</option>
    <drilldown>
      <set token="Region">$click.value$</set>
    </drilldown>
  </chart>
</panel>
<panel>
  <chart>
    <title>By Make</title>
    <search>
      <query>index=_* OR index=* sourcetype=st_sample State="$State$" AND Region="$Region$" | stats count(Equipment_type) as Deals_Count  by Make</query>

    </search>
    <option name="charting.chart">bar</option>
    <drilldown>
      <set token="Make">$click.value$</set>
    </drilldown>
  </chart>
</panel>
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎02-25-2017 09:10 AM

You can use depends attributes for the panels which you want to display based on previous token being set.

For example in you Deals Panel with table you can define the following

<drilldown>
  <set token="Equipment_type">$click.value$</set>
  <unset token="State"></unset>
  <unset token="Region"></unset>
  <unset token="Make"></unset>
</drilldown>

In By State Panel, you can define depends on Equipment_type

<chart depends="$Equipment_type$">

and for the drilldown

   <drilldown>
     <set token="State">$click.value$</set>
     <unset token="Region"></unset>
     <unset token="Make"></unset>
   </drilldown>

In the By Region panel you can then define depends for both Equipment and State

 <chart depends="$Equipment_type$,$State$">

and for drilldown something like the following...

   <drilldown>
     <set token="Region">$click.value$</set>
     <unset token="Make"></unset>
   </drilldown>

Similar to the example above, you can extend for By Make panel as well.

Please explain the behavior of vice-versa scenario.

For details on depends and rejects attributes to hide/display a panel refer to the following documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens
Also refer to Null Search Swapper Example in Splunk 6.x Dashboard Examples App.

On a different note, see if you can use exact index names in your query instead of wildcard for all indexes also a feasibility of using Post Processing for performance improvement instead of re-running Stats filters down the line on each cascaded selections.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

splunklakshman
Explorer
‎02-25-2017 11:47 AM

Niketnilay, i need one more help. For suppose if I click on deals Car, the car details table should show , if I click on car and state, the combination of car and state details should be displayed and so on. Can you pls help. Thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-25-2017 11:20 PM

@splunklakshman I would request you to post a new questions in future for separate questions.... However, if you have downloaded the Splunk 6.x Dashboard Examples app, you can check out Table Row Expansion (More Details) example. This involves Javascript extension to Simple XML which may require you to restart Splunk and also clear browser history for changes to reflect. Please check out and see if it suits your needs.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎02-25-2017 09:10 AM

You can use depends attributes for the panels which you want to display based on previous token being set.

For example in you Deals Panel with table you can define the following

<drilldown>
  <set token="Equipment_type">$click.value$</set>
  <unset token="State"></unset>
  <unset token="Region"></unset>
  <unset token="Make"></unset>
</drilldown>

In By State Panel, you can define depends on Equipment_type

<chart depends="$Equipment_type$">

and for the drilldown

   <drilldown>
     <set token="State">$click.value$</set>
     <unset token="Region"></unset>
     <unset token="Make"></unset>
   </drilldown>

In the By Region panel you can then define depends for both Equipment and State

 <chart depends="$Equipment_type$,$State$">

and for drilldown something like the following...

   <drilldown>
     <set token="Region">$click.value$</set>
     <unset token="Make"></unset>
   </drilldown>

Similar to the example above, you can extend for By Make panel as well.

Please explain the behavior of vice-versa scenario.

For details on depends and rejects attributes to hide/display a panel refer to the following documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens
Also refer to Null Search Swapper Example in Splunk 6.x Dashboard Examples App.

On a different note, see if you can use exact index names in your query instead of wildcard for all indexes also a feasibility of using Post Processing for performance improvement instead of re-running Stats filters down the line on each cascaded selections.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

splunklakshman
Explorer
‎02-25-2017 10:56 AM

Niketnilay, You are genius . I applied the functionality which you have mentioned. Appreciate your smart work and experiences. I will follow you . Gr8.....:)

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-25-2017 11:15 PM

@splunklakshman... Thanks for your kind words... There are so many highly experienced Splunkers in the community always willing to help. I am still a newbie on Splunk Answers and a learner. I would recommend you to follow Splunk Answers itself ...you will be amazed at what Splunk can do and with multiple solutions to the same problems how many small tips, tricks and tweaks can really lead up to optimal solutions.

Keep learning and keep contributing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-25-2017 11:43 AM

If your problem is resolved, please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunklakshman
Explorer
‎02-25-2017 10:13 AM

Appreciate your valuable inputs. I will try and let you know the update. For Vice versa, drill up like for suppose if we click on any value on Make, automatically the drill ups should happen,it should select particular region , particular state. Thanks in Advance.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-25-2017 11:08 PM

@splunklakshman...Vice Versa might not be possible in your scenario...since you are populating contents based on selection in parent panel... but you can unset child tokens when parent selection is changed. I already had a sample of the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

splunklakshman
Explorer
‎02-23-2017 08:54 AM

Once i click on the Equipment Type, i need to see the State details, after clicking State i need to see the Region details and i can do back and forth
alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎02-23-2017 08:44 AM

More details on your requirement please.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...