- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Advanced Chart Drilldown Question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a chart which I want to be able to click and drilldown to another chart. My problem is that I want to be able to define a hidden search criteria and don't want the click to add any terms to the search, I only want the top chart to pass the time range down to the drilldown chart.
ex. my drilldown hiddensearch
After I click on my chart it adds test_field="test" to the search critera so then it looks like this
index="oriondata" app_name="YRI MW" test_field="test" | timechart count by app_name
how can I make splunk disregard the click value and just pass the time range?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. To pass only the time value I used intention. I removed one of the search terms from the original search and used intention with the addterm parameter to add it back into the search criteria. I really didn't need the $click.value$. I replaced that with a static value.
See code below.
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="app_name">"YRI *MW*"</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You actually don't need to do anything at all.
Assuming that the the first FlashChart is rendering a timechart, when the user clicks it, the argument that module passes to the downstream modules will already include the modified timerange.
So if you take out any HiddenSearch and the ConvertToIntention that you had tried, and just have FlashChart or other "dispatching" modules downstream from the first chart, the exact same search will automatically get dispatched, but using the modified timerange.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've had the power all along. See "Key Techniques > inline drilldown > drilldowns with tables and charts". On that page there is an example of both 'table to chart' and 'chart to chart', although it's all pretty interchangeable. You can figure out from the example how to put tables downstream from charts, charts downstream from tables, HTML modules downstream from any, EventsViewer modules, etc... go nuts. The overall docs around linking and drilldown could use another rewrite and I'll break down and do that soon.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nick, i have sideview 2.5 and still i didn't find drilldown from chart to chart or chart to table. can you please add that in next release?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Sideview Utils 2.0 (Note that 2.0 is no longer distributed under free licensing), the FlashChart and JSChart also have the same $click.fields.fieldName$ tokens that the SimpleResultsTable has. You're right though, the example page only uses tables. I'll add another exampel to 2.0. In the meantime You can write it yourself by following these steps:
1) build it using a SimpleResultsTable, but use only click.value / click.name2
2) Then replace the SimpleResultsTable with FlashChart or JSChart. the click.value/click.name2 behavior is identical across those 3 modules.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nick, do you have any examples of drilling down from one chart to another? The examples in Sideview all use tables, and I wasn't sure of the syntax to modify parameters/search when "row" and "cell" don't really make sense.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. To pass only the time value I used intention. I removed one of the search terms from the original search and used intention with the addterm parameter to add it back into the search criteria. I really didn't need the $click.value$. I replaced that with a static value.
See code below.
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="app_name">"YRI *MW*"</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
