Dashboards & Visualizations

Adding drilldown to trellis layout

ritupatil02
Path Finder

How to add drilldown to the split visualisation in trellis layout?

I tried using this but it didn't work out

<drilldown>

<set token="selected_value">$trellis.value$</set> 

</drilldown>

Is there any other way to achieve this?

Here's my XML:

<row>
<panel id="table1">
<title>Asset Hierarchy - ($name1$)</title>
<single id="test10">
<title>Percentage</title>

<search>
<query>$envInput$ sourcetype="meridium:assethierarchy" appn="APM - Meridium"
| stats count by lvl
| eventstats sum(count) as total
| eval count=100*count/total
| fields - total
| transpose header_field=lvl column_name=lvl
| fields - lvl</query>
<earliest>$timeInput.earliest$</earliest>
<latest>$timeInput.latest$</latest>
</search>
<option name="drilldown">all</option>
<option name="height">130</option>
<option name="numberPrecision">0.00</option>
<option name="rangeColors">["0xdc4e41","0x53a051","0xf1813f","0x3c444d","0x3c444d"]</option>
<option name="trellis.enabled">1</option>
<option name="unit">%</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">search?q=$envInput$%20sourcetype%3D%22meridium%3Aassethierarchy%22%20appn%3D%22APM%20-%20Meridium%22&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$</link>
</drilldown>
</single>
</html>

Labels (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

to have trelliss value you need to modify little bit  your search. Please check below XML.

 

 

<dashboard>
  <label>Single View</label>
  <row>
    <panel>
      <single id="singleTrellis1">
        <search>
          <query>| makeresults count=10 | eval a=1 | accum a | eval lvl=case(a%3==0,"Error",a%3==1,"Info",a%3==2,"Warn") | stats count by lvl | eventstats sum(count) as total | eval count=(100*count/total). "%" | fields - total</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <condition match="$trellis.value$=&quot;Error&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$</set>  
          </condition>
          <condition match="$trellis.value$=&quot;Info&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$</set>  
          </condition>
          <condition match="$trellis.value$=&quot;Warn&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$ </set>  
          </condition>
        </drilldown>
      </single>
      <html>
        $tkn_search$
      </html>
      <html depends="$alwaysHideCSS$">
      <style>
        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Error svg{
          background-color: aqua;
        }

        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Info svg{
          background-color: green;
        }

        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Warn svg{
          background-color: yellow;
        }
        #singleTrellis1 #facet-viz_data_source_Error svg{
          background-color: aqua;
        }
        #singleTrellis1 #facet-viz_data_source_Info svg{
          background-color: green;
        }
        #singleTrellis1 #facet-viz_data_source_Warn svg{
          background-color: yellow;
        }
      </style>
      </html>
    </panel>
  </row>
</dashboard>

 

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

Can you please check this?

https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/VisualizationTrellis#Predefined_tokens_...

 

Please let me know if you face any difficulties.

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

ritupatil02
Path Finder

Exactly where do we add "$trellis.value$" ?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

to have trelliss value you need to modify little bit  your search. Please check below XML.

 

 

<dashboard>
  <label>Single View</label>
  <row>
    <panel>
      <single id="singleTrellis1">
        <search>
          <query>| makeresults count=10 | eval a=1 | accum a | eval lvl=case(a%3==0,"Error",a%3==1,"Info",a%3==2,"Warn") | stats count by lvl | eventstats sum(count) as total | eval count=(100*count/total). "%" | fields - total</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <condition match="$trellis.value$=&quot;Error&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$</set>  
          </condition>
          <condition match="$trellis.value$=&quot;Info&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$</set>  
          </condition>
          <condition match="$trellis.value$=&quot;Warn&quot;">
            <set token="tkn_search">SET_YOUR_SEARCH $trellis.value$ </set>  
          </condition>
        </drilldown>
      </single>
      <html>
        $tkn_search$
      </html>
      <html depends="$alwaysHideCSS$">
      <style>
        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Error svg{
          background-color: aqua;
        }

        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Info svg{
          background-color: green;
        }

        #singleTrellis1 #facet-viz_groupby_field_lvl_groupby_value_Warn svg{
          background-color: yellow;
        }
        #singleTrellis1 #facet-viz_data_source_Error svg{
          background-color: aqua;
        }
        #singleTrellis1 #facet-viz_data_source_Info svg{
          background-color: green;
        }
        #singleTrellis1 #facet-viz_data_source_Warn svg{
          background-color: yellow;
        }
      </style>
      </html>
    </panel>
  </row>
</dashboard>

 

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ritupatil02
Path Finder

Won't a condition be required ?

If I have to go to different search when I click on Error and Info

Capture.PNG

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

I have updated my answer.  Please check drill down logic and set search as per your requirement.

 

0 Karma

ritupatil02
Path Finder

@kamlesh_vaghela 

I did set the search in the drilldown but its still taking me too the originally set query

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

Can you please share your sample SingleView XML?

KV

0 Karma

ritupatil02
Path Finder

@kamlesh_vaghela 

<search>
<query>$envInput$ sourcetype="meridium:webapi" appn="APM - Meridium"
| stats count by lvl
| eventstats sum(count) as total

| eval count=100*count/total
| fields - total
| transpose header_field=lvl column_name=lvl
| fields - lvl</query>
<earliest>$timeInput.earliest$</earliest>
<latest>$timeInput.latest$</latest>
</search>
<option name="drilldown">all</option>
<option name="height">130</option>
<option name="numberPrecision">0.00</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<option name="unit">%</option>
<option name="colorMode">none</option>
<drilldown>
<condition match="$trellis.value$=&quot;Error&quot;">
<set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" $trellis.value$</set>
</condition>
<condition match="$trellis.value$=&quot;Info&quot;">
<set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$</set>
</condition>
<condition match="$trellis.value$=&quot;Warn&quot;">
<set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$ </set>
</condition>
</drilldown>

</single>
<html>
$tkn_search$
</html>
<html depends="$alwaysHideCSS$">
<style>
#test40 #facet-viz_data_source_Error svg{
background-color: crimson;
}
#test40 #facet-viz_data_source_Info svg{
background-color: forestgreen;
}
#test40 #facet-viz_data_source_Warn svg{
background-color: darkorange;
}
</style>
</html>

 

Also, the search is not opening in a new window

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

Drilldown condition works fine in local. Can you please update same with below code and check search token?

<condition match="$trellis.value$=&quot;Error&quot;">
            <set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" $trellis.value$</set>
          </condition>
          <condition match="$trellis.value$=&quot;Info&quot;">
            <set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$</set>
          </condition>
          <condition match="$trellis.value$=&quot;Warn&quot;">
            <set token="tkn_search">$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$ </set>
          </condition>
          <condition>
            <set token="tkn_search">$trellis.value$ </set>
          </condition>

 

I've added extra condition for debug purpose. Just check tkn_search value on drill down.

 

If you want to open the search in new window then try this.

<condition match="$trellis.value$=&quot;Error&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" $trellis.value$</link>
          </condition>
          <condition match="$trellis.value$=&quot;Info&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$</link>
          </condition>
          <condition match="$trellis.value$=&quot;Warn&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" $trellis.value$</link>
          </condition>
          <condition>
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="*" sourcetype="meridium:webapi" $trellis.value$</link>
          </condition>

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ritupatil02
Path Finder

@kamlesh_vaghela 

Why does the drilldown returns this query "(host="prod*") appn="APM - Meridium" rslt="*" sourcetype="meridium:webapi" $trellis.value$" when it should actually return "(host="prod*") appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi""

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ritupatil02 

You have used transpose command and then after fields - lvl. So may me due to that you unable to find $trellis.value$ during drilldown. That's Y I suggested stats command in my example. 

But you can use the same search with below drilldown  condition. Here direct field name is used in condition.

<condition match="$row.Error$>&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" Error</link>
          </condition>
          <condition match="$row.Info$>&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" Info</link>
          </condition>
          <condition match="$row.Warn$>&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" Warn</link>
          </condition>

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ritupatil02
Path Finder

@kamlesh_vaghela 

That worked absolutely fine.. Thanks!! 🙂

 

Can we also add shared time range picker to the drilldown search?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Yes @ritupatil02 

Just append below code link.

 

 

&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$

 

 

like

 

<condition match="$row.Error$&gt;&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Failed" sourcetype="meridium:webapi" Error&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$</link>
          </condition>
          <condition match="$row.Info$&gt;&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" Info&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$</link>
          </condition>
          <condition match="$row.Warn$&gt;&quot;-1&quot;">
            <link target="_blank">search?q=$envInput$ appn="APM - Meridium" rslt="Succeeded" sourcetype="meridium:webapi" Warn&amp;earliest=$timeInput.earliest$&amp;latest=$timeInput.latest$</link>
          </condition>

 

 

KV

ritupatil02
Path Finder

@kamlesh_vaghela 

Gives "Invalid character entity" error

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

I have encode & to &amp;

Check my updated answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...