Dashboards & Visualizations

Can you help me make a drill down that shows advanced information about a specific person?

bogdan_nicolesc
Communicator

Hi all,

I need to make a drill down from a list, sending me to a dashboard for a specific data.

In more words, i have a list of people that — when i click on a person — will send me to a dashboard showing data for that specific person. If anything I wrote makes sense...

Also, forgive me if i didn't chew all documentation prior to this question. It Is a bit hard for me to understand it as i am just at the beginning of understanding Splunk.

Thank you.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@bogdan_nicolescu

Refer this doc - http://docs.splunk.com/Documentation/Splunk/7.2.0/Viz/DrilldownLinkToDashboard
Also, below is a run anywhere example if it helps

Main Dashboard

<dashboard>
  <label>Drilldown Dashboards</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">/app/search/detailed_dashboard?form.sourcetype=$click.value2$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Detailed drill down dashboard

<form>
  <label>Detailed Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype">
      <label>sourcetype</label>
      <choice value="a">a</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=$sourcetype$|stats count by index,source</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

Ok, so i have some kinda of results ...

I will post a recap as an answer for whom ever will find this thread.

But now i have another problem ...

When i click on a name, is opening a new page, but is waiting for input .... ?

" Search is waiting for input..."

Thank you.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@bogdan_nicolescu, it's not that complicated if you just follow the initial example dashboard provided.

Now you need to have an input token in your detailed dashboard - textbox/dropdown /other inputs.

Or just add this to your second dashboard and also refer to the second xml provided in the answer. If you are in splunk slack (https://docs.splunk.com/Documentation/Community/1.0/community/Chat) , I will be available (screen name:renjith)

  <fieldset submitButton="false">
    <input type="text" token="name_employee" >
      <label>Details of the Employee</label>
    </input>
  </fieldset>
Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

form.sourcetype might not be needed if you dont have a sourcetype field, its just my example.

So this should be your url in the drilldown - /app/search/~dashboard.name~?form.name_employee="$click.value$"

Bit surprised to see search app here instead of splunk_app_db_connect as you had mentioned earlier but if your second dashboard is in search app, never mind!

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

If i don't use the drop down menu, link shows like this:

/app/search/~dashboard.name~?form.name_employee="$click.value$"

But when i add it, looks like this:

/app/search/~dashboard.name~?form.sourcetype=name1%20name2&form.name_employee=user2name1%20user2name2

But is showing me the correct data.

And i use /app/search/ because is easier for me to find it, while if i was using /app/splunk_app_db_connect/ was harder for me to find my dashboards. I need to have a bookmark for them.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

It does not matter which app you uses. Just make sure that the app name is updated in the link wherever your dashboard belong to. Do you have a "sourcetype" token in your second dashboard ? If not, you don't need 'form.sourcetype'. If its not working, would you mind sharing the xml? That will be easy to guide. Remove if there is any confidential data

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

Hi there,

I tried this:

<dashboard>
  <label>ESA</label>
  <description>Oameni</description>
  <row>
    <panel>
      <title>Lista</title>
      <table>
        <search>
          <query>| pivot Lista_angajati RootObject values(min_in) AS "Distinct Values of min_in" values(diff_time_in_out_min) AS "Distinct Values of diff_time_in_out_min" values(max_out) AS "Distinct Values of max_out" SPLITROW date_yyyymmdd AS date_yyyymmdd SPLITROW name_employee AS name_employee SORT 100 date_yyyymmdd ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER 1</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">/app/splunk_app_db_connect/form.sourcetype=$click.value$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

And doesn't work well. I get some type of errors.

Thnx.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@bogdan_nicolescu,

form.sourcetype should be replaced by the target dashboard's token name. For e.g. assuming that your dashboards are running in splunk_app_db_connect and the field name is name_employee. Then the target should have a visualization and has a token reference - lets say $name_employee$ . So this drilldown will be

<link target="_blank">/app/splunk_app_db_connect/dashboard_name?form.name_employee=$click.value$</link>

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

Ok, but .... how do i connect this to a dashboard made to show a column graph for couple days ...

Thnx.

0 Karma

bogdan_nicolesc
Communicator

i have this for the next dashboard:

(index=* OR index=_*) (index=db_esa sourcetype=DB_ESA_log source=EDSA_PROD) | rename access_permited AS RootObject.access_permited avg_time_mi AS RootObject.avg_time_mi created_date AS RootObject.created_date date_dd AS RootObject.date_dd date_ddmmyyyy AS RootObject.date_ddmmyyyy date_mm AS RootObject.date_mm date_yyyy AS RootObject.date_yyyy date_yyyymmdd AS RootObject.date_yyyymmdd diff_time_in_out_min AS RootObject.diff_time_in_out_min first_name AS RootObject.first_name last_name AS RootObject.last_name location AS RootObject.location max_out AS RootObject.max_out min_in AS RootObject.min_in name_employee AS RootObject.name_employee qr_code AS RootObject.qr_code reader_id AS RootObject.reader_id sum_time_mi AS RootObject.sum_time_mi trunc_created_date AS RootObject.trunc_created_date | search "RootObject.name_employee"="*" | fields "_time" "host" "source" "sourcetype" "RootObject.access_permited" "RootObject.avg_time_mi" "RootObject.created_date" "RootObject.date_dd" "RootObject.date_ddmmyyyy" "RootObject.date_mm" "RootObject.date_yyyy" "RootObject.date_yyyymmdd" "RootObject.diff_time_in_out_min" "RootObject.first_name" "RootObject.last_name" "RootObject.location" "RootObject.max_out" "RootObject.min_in" "RootObject.name_employee" "RootObject.qr_code" "RootObject.reader_id" "RootObject.sum_time_mi" "RootObject.trunc_created_date"
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@bogdan_nicolescu,
Change the below in the above search and try clicking from the first dashboard

search "RootObject.name_employee"="*"
to
search "RootObject.name_employee"="$name_employee$"

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

Did that and i get error.

Thnx.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Where is the error - in dashboard or search and whats the error?

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

When i click on name is opening a new page with err 404 and also Buttercup pony. Don't forget about Buttercup 🙂

Thnx.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Ha ha Buttercup is trying to find the pages and not able to find! Most probably your dashboard/app name is wrong and splunk is not able to find it. Are these dashboards (main & drilldown) in the same app ? Can you verify the app name and dashboard name in the drilldown?

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

Is there any problem if these dashboards are shared? They were created in splunk_db_connect and shared with everyone.

Do i need to create new from scratch?

Thnx

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Nope, it does not matter if its shared. 404 is because, either the dashboard name is incorrect or there is some characters unknowingly added to the drilldown link. Would you mind pasting the drilldown link if there is no confidential string in that?

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

This one: /app/splunk_app_db_connect/form.name_employee=$click.value$ ???!

If i edit it i get this:

/en-US/app/splunk_app_db_connect/form.name_employee=$name_employee$

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

So here is the problem - in the drill down link , you have to include the dashboard name as well followed by ? to pass the parameter. Have a look a the XMLs provided in the answer. replace your_target_dashboard_name_here with your target dashboard name.

/app/splunk_app_db_connect/your_target_dashboard_name_here?form.name_employee=$click.value$
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...