Dashboards & Visualizations

Cell drilldown sending null

caphrim007
Path Finder

I was reading the docs here

and trying to get cell drilldown to work, but not having much luck. I set the value of drilldown to "all" and to "cell" but in either case, the search that is created places "null" in the stringreplace'd search.

Here's the advanced xml I have so far.

          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1">
            <param name="drilldown">cell</param>
            <param name="displayRowNumbers">False</param>
            <module name="HiddenSearch" layoutPanel="panel_row1_col2">
              <param name="search">Successful NOT 172.16.12.* (sourceNetworkAddress != "-" AND sourceNetworkAddress != "127.0.0.1") | lookup dnsLookup ip AS sourceNetworkAddress OUTPUTNEW host AS hostname | stats values(username) as Users by sourceNetworkAddress, hostname | sort -Users | search hostname="$hostname$" | mvexpand Users | table Users</param>
              <module name="ConvertToIntention">
                <param name="intention">
                  <param name="name">stringreplace</param>
                  <param name="arg">
                    <param name="hostname">
                      <param name="value">$click.value$</param>
                    </param>
                  </param>
                </param>
                <module name="SimpleResultsTable" layoutPanel="panel_row1_col2"/>
              </module>
            </module>
          </module>

When I look at the job that is fired off though, I see this

...| sort -Users | search hostname="null" | mvexpand Users |...

Scratching my head trying to figure out how I can get the clicked value into my intention.

The output from the hidden search above it is a table looks like this

sourceNetworkAddress hostname dcUserCnt

172.16.12.234 host3.site.org 2

172.16.12.204 host2.site.org 1

172.16.12.205 host1.site.org 1

And is created with the hidden search

<param name="search">Successful NOT 172.16.12.* (sourceNetworkAddress != "-" AND sourceNetworkAddress != "127.0.0.1") | lookup dnsLookup ip AS sourceNetworkAddress OUTPUTNEW host AS hostname | stats dc(username) as dcUserCnt by sourceNetworkAddress, hostname | sort -dcUserCnt | search hostname="$hostname$"</param>
Tags (2)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

Well, '$click.value$' is always the cell value from the first column.

Assuming you have a search like

chart avg(duration) over user by host

and you click on a cell within a table configured with 'cell' drilldown, here's the full description of the keys available downstream:

$click.name$   -- the name of the first column (ie host)
$click.value$  -- the value of the first column, in the row you clicked upon. (bob)
$click.name2$  -- the name of the column clicked upon  (ie host172)
$click.value2$ -- the string value of the cell clicked  upon (ie 95.42)

So perhaps the first column of this table for some reason is actually blank? that's the only thing I can think of. Or maybe it's _time because _time values from chart/table drilldown cannot be used in stringreplace intentions (obscure but known limitation of custom drilldown wiring).

View solution in original post

sideview
SplunkTrust
SplunkTrust

Well, '$click.value$' is always the cell value from the first column.

Assuming you have a search like

chart avg(duration) over user by host

and you click on a cell within a table configured with 'cell' drilldown, here's the full description of the keys available downstream:

$click.name$   -- the name of the first column (ie host)
$click.value$  -- the value of the first column, in the row you clicked upon. (bob)
$click.name2$  -- the name of the column clicked upon  (ie host172)
$click.value2$ -- the string value of the cell clicked  upon (ie 95.42)

So perhaps the first column of this table for some reason is actually blank? that's the only thing I can think of. Or maybe it's _time because _time values from chart/table drilldown cannot be used in stringreplace intentions (obscure but known limitation of custom drilldown wiring).

caphrim007
Path Finder

Captain Obvious to the rescue here; duh Tim. Thanks nick, value was indeed the value of the first column, value2 the next, etc. Dunno how I missed that : )

0 Karma
Get Updates on the Splunk Community!

Events has wrong timestamp, How to correct time config?

Hello Splunkers,&nbsp;I've an issue with my event time configuration. It has incorrect timestamp. Below are my ...

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

What is the use drop_dm_object_name() clause in a query with tstats.?

I am trying to find out what purpose drop_dm_object_name() serves.