Dashboards & Visualizations

Custom Drill-down from Total Row

Communicator

I have a statistic table showed below.

vendor        low     medium       high
----------    -----   ------------ -------
V1            1       2             3
V2            2       4             5
Total         3       6             8

I set up a custom drill-down, for instance, for the vendor column, how can I set up a condition when clicked "Total" and it passes "*" to the custom drill-down? Thanks.

<drilldown>
     <link field="vendor">
         /app/my_app/details?form.vendor=$row.vendor$
     </link>
</drilldown>
0 Karma
1 Solution

SplunkTrust
SplunkTrust

alt text
Please try the following to default the vendor form token to asterix * in case clicked field value is Total. Assuming your app name is my_app and view name is details

<drilldown>
  <condition match="$row.vendor$==&quot;Total&quot;">
    <link>/app/my_app/details?form.vendor=*</link>
  </condition>
  <condition>
    <link>/app/my_app/details?form.vendor=$row.vendor$</link>
  </condition>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

alt text
Please try the following to default the vendor form token to asterix * in case clicked field value is Total. Assuming your app name is my_app and view name is details

<drilldown>
  <condition match="$row.vendor$==&quot;Total&quot;">
    <link>/app/my_app/details?form.vendor=*</link>
  </condition>
  <condition>
    <link>/app/my_app/details?form.vendor=$row.vendor$</link>
  </condition>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Communicator

The condition is never triggered.

0 Karma

SplunkTrust
SplunkTrust

You column name is vendor right?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Following is a run anywhere example just change the App Name and Dashboard Name. In fact even if you do not have right app and dashboard you should be able to see the values being sent as Selected vendor column value or asterisk in case the same is Total.

    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd
| eval vendor=log_level
| stats count by vendor
| addcoltotals labelfield=vendor</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <drilldown>
          <condition match="$row.vendor$==&quot;Total&quot;">
            <link>app/<myappname>/<MyTestDashboard>/form.Vendor=*</link>
          </condition>
          <condition>
            <link>app/<myappname>/<MyTestDashboard>/form.Vendor=$row.vendor$</link>
          </condition>
        </drilldown>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>

If you want to test out whether the tokens are being set properly instead of link you can use set or eval for the same and print out the token using html

<eval token="SelectedField">if($row.vendor=="Total","*",$row.vendor)</eval>

Following is example of html section.

Selected Field Name: $SelectedField$

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Communicator

Still ... the total is never triggered.

0 Karma

SplunkTrust
SplunkTrust

I have attached a screenshot with Total clicked and some other value clicked and printed using the following code. Can you try the following code? Can you ensure that you have your field value being tested for row.vendor is placed under dollar sign? Also the double quote in condition block should be escaped as written in the query. Value of Total being matched is case sensitive so if you are printing Total in loswer case you should mention the same as $row.vendor$. (Field Names are always case sensitive, so make sure vendor is lower case not upper. Try out the following code as it should run anywhere(query is on Splunk's _internal index so as far as you have access to query the same it should work.)

     <panel>
       <table>
         <search>
           <query>index=_internal sourcetype=splunkd
 | eval vendor=log_level
 | stats count by vendor
 | addcoltotals labelfield=vendor</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <drilldown>
           <condition match="$row.vendor$==&quot;Total&quot;">
             <set token="myTest">form.Vendor=*</set>
           </condition>
           <condition>
             <set token="myTest">form.Vendor=$row.vendor$</set>
           </condition>
         </drilldown>
         <option name="count">20</option>
         <option name="dataOverlayMode">none</option>
         <option name="drilldown">cell</option>
         <option name="percentagesRow">false</option>
         <option name="rowNumbers">false</option>
         <option name="totalsRow">false</option>
         <option name="wrap">true</option>
       </table>
       <html>
         <p>My Test Token=$myTest$</p>
       </html>
     </panel>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

@splunkrocks2014 Were you able to try the example provided?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Communicator

Hi niketnilay,

Thank you very much for your help.

I think I found the problem. The root cause is we use the older version of Splunk (6.3.5) which does not work at all; however, it works perfectly for the version 6.5.2. I have to look if there are any alternates. Thanks again.

Communicator

That's correct.

It works if clicked on a non-total cell. Also, I removed the second condition and directly clicked on "Total", and it just ran the default Splunk query.

0 Karma