Dashboards & Visualizations

Adding drilldown to trellis layout

ritupatil02
Path Finder

How to add drilldown to the split visualisation in trellis layout?

I tried using this but it didn't work out

<drilldown>

<set token="selected_value">$trellis.value$</set> 

</drilldown>

Is there any other way to achieve this?

Here's my XML:

<row>
<panel id="table1">
<title>Asset Hierarchy - ($name1$)</title>
<single id="test10">
<title>Percentage</title>

<search>
<query>$envInput$ sourcetype="meridium:assethierarchy" appn="APM - Meridium"
| stats count by lvl
| eventstats sum(count) as total
| eval count=100*count/total
| fields - total
| transpose header_field=lvl column_name=lvl
| fields - lvl</query>
<earliest>$timeInput.earliest$</earliest>
<latest>$timeInput.latest$</latest>
</search>
<option name="drilldown">all</option>
<option name="height">130</option>
<option name="numberPrecision">0.00</option>
<option name="rangeColors">["0xdc4e41","0x53a051","0xf1813f","0x3c444d","0x3c444d"]</option>
<option name="trellis.enabled">1</option>
<option name="unit">%</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">search?q=$envInput$%20sourcetype%3D%22meridium%3Aassethierarchy%22%20appn%3D%22APM%20-%20Meridium%22&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$</link>
</drilldown>
</single>
</html>

Labels (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

to have trelliss value you need to modify little bit  your search. Please check below XML.

 

 

<dashboard>
  <label>Single View</label>
  <row>
    <panel>
      <single id="singleTrellis1">
        <search>
          <query>| makeresults count=10 | eval a=1 | accum a | eval lvl=case(a%3==0,"Error",a%3==1,"Info",a%3==2,"Warn") | stats count by lvl | eventstats sum(count) as total | eval count=(100*count/total). "%" | fields - total</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <condition match="$trellis.value$=&quot;Error&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$</set>  
          </condition>
          <condition match="$trellis.value$=&quot;Info&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$</set>  
          </condition>
          <condition match="$trellis.value$=&quot;Warn&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$ </set>  
          </condition>
        </drilldown>
      </single>
      <html>
        $tkn_search$
      </html>
      <html depends="$alwaysHideCSS$">
      <style>
        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Error svg{
          background-color: aqua;
        }

        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Info svg{
          background-color: green;
        }

        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Warn svg{
          background-color: yellow;
        }
        #singleTrellis1 #facet-viz_data_source_Error svg{
          background-color: aqua;
        }
        #singleTrellis1 #facet-viz_data_source_Info svg{
          background-color: green;
        }
        #singleTrellis1 #facet-viz_data_source_Warn svg{
          background-color: yellow;
        }
      </style>
      </html>
    </panel>
  </row>
</dashboard>

 

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

Can you please check this?

https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/VisualizationTrellis#Predefined_tokens_...

 

Please let me know if you face any difficulties.

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

ritupatil02
Path Finder

Exactly where do we add "$trellis.value$" ?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

to have trelliss value you need to modify little bit  your search. Please check below XML.

 

 

<dashboard>
  <label>Single View</label>
  <row>
    <panel>
      <single id="singleTrellis1">
        <search>
          <query>| makeresults count=10 | eval a=1 | accum a | eval lvl=case(a%3==0,"Error",a%3==1,"Info",a%3==2,"Warn") | stats count by lvl | eventstats sum(count) as total | eval count=(100*count/total). "%" | fields - total</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <condition match="$trellis.value$=&quot;Error&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$</set>  
          </condition>
          <condition match="$trellis.value$=&quot;Info&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$</set>  
          </condition>
          <condition match="$trellis.value$=&quot;Warn&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$ </set>  
          </condition>
        </drilldown>
      </single>
      <html>
        $tkn_search$
      </html>
      <html depends="$alwaysHideCSS$">
      <style>
        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Error svg{
          background-color: aqua;
        }

        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Info svg{
          background-color: green;
        }

        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Warn svg{
          background-color: yellow;
        }
        #singleTrellis1 #facet-viz_data_source_Error svg{
          background-color: aqua;
        }
        #singleTrellis1 #facet-viz_data_source_Info svg{
          background-color: green;
        }
        #singleTrellis1 #facet-viz_data_source_Warn svg{
          background-color: yellow;
        }
      </style>
      </html>
    </panel>
  </row>
</dashboard>

 

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ritupatil02
Path Finder

Won't a condition be required ?

If I have to go to different search when I click on Error and Info

Capture.PNG

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

I have updated my answer.  Please check drill down logic and set search as per your requirement.

 

0 Karma

ritupatil02
Path Finder

@kamlesh_vaghela 

I did set the search in the drilldown but its still taking me too the originally set query

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

Can you please share your sample SingleView XML?

KV

0 Karma

ritupatil02
Path Finder

@kamlesh_vaghela 

<search>
<query>$envInput$ sourcetype="meridium:webapi" appn="APM - Meridium"
| stats count by lvl
| eventstats sum(count) as total

| eval count=100*count/total
| fields - total
| transpose header_field=lvl column_name=lvl
| fields - lvl</query>
<earliest>$timeInput.earliest$</earliest>
<latest>$timeInput.latest$</latest>
</search>
<option name="drilldown">all</option>
<option name="height">130</option>
<option name="numberPrecision">0.00</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<option name="unit">%</option>
<option name="colorMode">none</option>
<drilldown>
<condition match="$trellis.value$=&quot;Error&quot;">
<set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" $trellis.value$</set>
</condition>
<condition match="$trellis.value$=&quot;Info&quot;">
<set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$</set>
</condition>
<condition match="$trellis.value$=&quot;Warn&quot;">
<set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$ </set>
</condition>
</drilldown>

</single>
<html>
$tkn_search$
</html>
<html depends="$alwaysHideCSS$">
<style>
#test40 #facet-viz_data_source_Error svg{
background-color: crimson;
}
#test40 #facet-viz_data_source_Info svg{
background-color: forestgreen;
}
#test40 #facet-viz_data_source_Warn svg{
background-color: darkorange;
}
</style>
</html>

 

Also, the search is not opening in a new window

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

Drilldown condition works fine in local. Can you please update same with below code and check search token?

<condition match="$trellis.value$=&quot;Error&quot;">
            <set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" $trellis.value$</set>
          </condition>
          <condition match="$trellis.value$=&quot;Info&quot;">
            <set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$</set>
          </condition>
          <condition match="$trellis.value$=&quot;Warn&quot;">
            <set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$ </set>
          </condition>
          <condition>
            <set token="tkn_search">$trellis.value$ </set>
          </condition>

 

I've added extra condition for debug purpose. Just check tkn_search value on drill down.

 

If you want to open the search in new window then try this.

<condition match="$trellis.value$=&quot;Error&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" $trellis.value$</link>
          </condition>
          <condition match="$trellis.value$=&quot;Info&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$</link>
          </condition>
          <condition match="$trellis.value$=&quot;Warn&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$</link>
          </condition>
          <condition>
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="*" sourcetype="meridium:webapi" $trellis.value$</link>
          </condition>

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ritupatil02
Path Finder

@kamlesh_vaghela 

Why does the drilldown returns this query "(host="prod*") appn="APM - Meridium" rslt="*" sourcetype="meridium:webapi" $trellis.value$" when it should actually return "(host="prod*") appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi""

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

You have used transpose command and then after fields - lvl. So may me due to that you unable to find $trellis.value$ during drilldown. That's Y I suggested stats command in my example. 

But you can use the same search with below drilldown  condition. Here direct field name is used in condition.

<condition match="$row.Error$>&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" Error</link>
          </condition>
          <condition match="$row.Info$>&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" Info</link>
          </condition>
          <condition match="$row.Warn$>&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" Warn</link>
          </condition>

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ritupatil02
Path Finder

@kamlesh_vaghela 

That worked absolutely fine.. Thanks!! 🙂

 

Can we also add shared time range picker to the drilldown search?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Yes @ritupatil02 

Just append below code link.

 

 

&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$

 

 

like

 

<condition match="$row.Error$&gt;&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" Error&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$</link>
          </condition>
          <condition match="$row.Info$&gt;&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" Info&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$</link>
          </condition>
          <condition match="$row.Warn$&gt;&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" Warn&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$</link>
          </condition>

 

 

KV

ritupatil02
Path Finder

@kamlesh_vaghela 

Gives "Invalid character entity" error

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

I have encode & to &amp;

Check my updated answer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...