I need to make a drill down from a list, sending me to a dashboard for a specific data.
In more words, i have a list of people that — when i click on a person — will send me to a dashboard showing data for that specific person. If anything I wrote makes sense...
Also, forgive me if i didn't chew all documentation prior to this question. It Is a bit hard for me to understand it as i am just at the beginning of understanding Splunk.
Refer this doc - http://docs.splunk.com/Documentation/Splunk/7.2.0/Viz/DrilldownLinkToDashboard
Also, below is a run anywhere example if it helps
<dashboard> <label>Drilldown Dashboards</label> <row> <panel> <table> <search> <query>index=_internal|stats count by sourcetype</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <link target="_blank">/app/search/detailed_dashboard?form.sourcetype=$click.value2$</link> </drilldown> </table> </panel> </row> </dashboard>
Detailed drill down dashboard
<form> <label>Detailed Dashboard</label> <fieldset submitButton="false"> <input type="dropdown" token="sourcetype"> <label>sourcetype</label> <choice value="a">a</choice> </input> </fieldset> <row> <panel> <table> <search> <query>index=_internal sourcetype=$sourcetype$|stats count by index,source</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
Ok, so i have some kinda of results ...
I will post a recap as an answer for whom ever will find this thread.
But now i have another problem ...
When i click on a name, is opening a new page, but is waiting for input .... ?
" Search is waiting for input..."
@bogdan_nicolescu, it's not that complicated if you just follow the initial example dashboard provided.
Now you need to have an input token in your detailed dashboard - textbox/dropdown /other inputs.
Or just add this to your second dashboard and also refer to the second xml provided in the answer. If you are in splunk slack (https://docs.splunk.com/Documentation/Community/1.0/community/Chat) , I will be available (screen name:renjith)
<fieldset submitButton="false"> <input type="text" token="name_employee" > <label>Details of the Employee</label> </input> </fieldset>
form.sourcetype might not be needed if you dont have a sourcetype field, its just my example.
So this should be your url in the drilldown - /app/search/~dashboard.name~?form.name_employee="$click.value$"
Bit surprised to see search app here instead of splunk_app_db_connect as you had mentioned earlier but if your second dashboard is in search app, never mind!
If i don't use the drop down menu, link shows like this:
But when i add it, looks like this:
But is showing me the correct data.
And i use /app/search/ because is easier for me to find it, while if i was using /app/splunk_app_db_connect/ was harder for me to find my dashboards. I need to have a bookmark for them.
It does not matter which app you uses. Just make sure that the app name is updated in the link wherever your dashboard belong to. Do you have a "sourcetype" token in your second dashboard ? If not, you don't need 'form.sourcetype'. If its not working, would you mind sharing the xml? That will be easy to guide. Remove if there is any confidential data
I tried this:
<dashboard> <label>ESA</label> <description>Oameni</description> <row> <panel> <title>Lista</title> <table> <search> <query>| pivot Lista_angajati RootObject values(min_in) AS "Distinct Values of min_in" values(diff_time_in_out_min) AS "Distinct Values of diff_time_in_out_min" values(max_out) AS "Distinct Values of max_out" SPLITROW date_yyyymmdd AS date_yyyymmdd SPLITROW name_employee AS name_employee SORT 100 date_yyyymmdd ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER 1</query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <link target="_blank">/app/splunk_app_db_connect/form.sourcetype=$click.value$</link> </drilldown> </table> </panel> </row> </dashboard>
And doesn't work well. I get some type of errors.
form.sourcetype should be replaced by the target dashboard's token name. For e.g. assuming that your dashboards are running in splunk_app_db_connect and the field name is
name_employee. Then the target should have a visualization and has a token reference - lets say $name_employee$ . So this drilldown will be
i have this for the next dashboard:
(index=* OR index=_*) (index=db_esa sourcetype=DB_ESA_log source=EDSA_PROD) | rename access_permited AS RootObject.access_permited avg_time_mi AS RootObject.avg_time_mi created_date AS RootObject.created_date date_dd AS RootObject.date_dd date_ddmmyyyy AS RootObject.date_ddmmyyyy date_mm AS RootObject.date_mm date_yyyy AS RootObject.date_yyyy date_yyyymmdd AS RootObject.date_yyyymmdd diff_time_in_out_min AS RootObject.diff_time_in_out_min first_name AS RootObject.first_name last_name AS RootObject.last_name location AS RootObject.location max_out AS RootObject.max_out min_in AS RootObject.min_in name_employee AS RootObject.name_employee qr_code AS RootObject.qr_code reader_id AS RootObject.reader_id sum_time_mi AS RootObject.sum_time_mi trunc_created_date AS RootObject.trunc_created_date | search "RootObject.name_employee"="*" | fields "_time" "host" "source" "sourcetype" "RootObject.access_permited" "RootObject.avg_time_mi" "RootObject.created_date" "RootObject.date_dd" "RootObject.date_ddmmyyyy" "RootObject.date_mm" "RootObject.date_yyyy" "RootObject.date_yyyymmdd" "RootObject.diff_time_in_out_min" "RootObject.first_name" "RootObject.last_name" "RootObject.location" "RootObject.max_out" "RootObject.min_in" "RootObject.name_employee" "RootObject.qr_code" "RootObject.reader_id" "RootObject.sum_time_mi" "RootObject.trunc_created_date"
Change the below in the above search and try clicking from the first dashboard
Ha ha Buttercup is trying to find the pages and not able to find! Most probably your dashboard/app name is wrong and splunk is not able to find it. Are these dashboards (main & drilldown) in the same app ? Can you verify the app name and dashboard name in the drilldown?
Nope, it does not matter if its shared. 404 is because, either the dashboard name is incorrect or there is some characters unknowingly added to the drilldown link. Would you mind pasting the drilldown link if there is no confidential string in that?
So here is the problem - in the drill down link , you have to include the dashboard name as well followed by
? to pass the parameter. Have a look a the XMLs provided in the answer. replace
your_target_dashboard_name_here with your target dashboard name.