Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cell drilldown sending null

caphrim007
Path Finder
‎09-28-2010 07:38 PM

I was reading the docs here

and trying to get cell drilldown to work, but not having much luck. I set the value of drilldown to "all" and to "cell" but in either case, the search that is created places "null" in the stringreplace'd search.

Here's the advanced xml I have so far.

          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1">
            <param name="drilldown">cell</param>
            <param name="displayRowNumbers">False</param>
            <module name="HiddenSearch" layoutPanel="panel_row1_col2">
              <param name="search">Successful NOT 172.16.12.* (sourceNetworkAddress != "-" AND sourceNetworkAddress != "127.0.0.1") | lookup dnsLookup ip AS sourceNetworkAddress OUTPUTNEW host AS hostname | stats values(username) as Users by sourceNetworkAddress, hostname | sort -Users | search hostname="$hostname$" | mvexpand Users | table Users</param>
              <module name="ConvertToIntention">
                <param name="intention">
                  <param name="name">stringreplace</param>
                  <param name="arg">
                    <param name="hostname">
                      <param name="value">$click.value$</param>
                    </param>
                  </param>
                </param>
                <module name="SimpleResultsTable" layoutPanel="panel_row1_col2"/>
              </module>
            </module>
          </module>

When I look at the job that is fired off though, I see this

...| sort -Users | search hostname="null" | mvexpand Users |...

Scratching my head trying to figure out how I can get the clicked value into my intention.

The output from the hidden search above it is a table looks like this

sourceNetworkAddress hostname dcUserCnt

172.16.12.234 host3.site.org 2

172.16.12.204 host2.site.org 1

172.16.12.205 host1.site.org 1

And is created with the hidden search 

<param name="search">Successful NOT 172.16.12.* (sourceNetworkAddress != "-" AND sourceNetworkAddress != "127.0.0.1") | lookup dnsLookup ip AS sourceNetworkAddress OUTPUTNEW host AS hostname | stats dc(username) as dcUserCnt by sourceNetworkAddress, hostname | sort -dcUserCnt | search hostname="$hostname$"</param>
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-28-2010 08:09 PM

Well, '$click.value$' is always the cell value from the first column.

Assuming you have a search like 

chart avg(duration) over user by host

and you click on a cell within a table configured with 'cell' drilldown, here's the full description of the keys available downstream:

$click.name$   -- the name of the first column (ie host)
$click.value$  -- the value of the first column, in the row you clicked upon. (bob)
$click.name2$  -- the name of the column clicked upon  (ie host172)
$click.value2$ -- the string value of the cell clicked  upon (ie 95.42)

So perhaps the first column of this table for some reason is actually blank? that's the only thing I can think of. Or maybe it's _time because _time values from chart/table drilldown cannot be used in stringreplace intentions (obscure but known limitation of custom drilldown wiring).

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-28-2010 08:09 PM

Well, '$click.value$' is always the cell value from the first column.

Assuming you have a search like 

chart avg(duration) over user by host

and you click on a cell within a table configured with 'cell' drilldown, here's the full description of the keys available downstream:

$click.name$   -- the name of the first column (ie host)
$click.value$  -- the value of the first column, in the row you clicked upon. (bob)
$click.name2$  -- the name of the column clicked upon  (ie host172)
$click.value2$ -- the string value of the cell clicked  upon (ie 95.42)

So perhaps the first column of this table for some reason is actually blank? that's the only thing I can think of. Or maybe it's _time because _time values from chart/table drilldown cannot be used in stringreplace intentions (obscure but known limitation of custom drilldown wiring).

Reply
Solved! Jump to solution

caphrim007
Path Finder
‎09-28-2010 08:22 PM

Captain Obvious to the rescue here; duh Tim. Thanks nick, value was indeed the value of the first column, value2 the next, etc. Dunno how I missed that : )

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...