Dashboards & Visualizations

Dashboard Drill-down not working correctly with conditions

mal81394
New Member

Hey all, I am trying to make a conditional drill down for a table. The problem is it only ever picks up the hostname condition by itself. The severity condition it acts like it is not even there. For example, the hostname when clicked will pen a new tab, when clicked on a severity it just runs the auto search and completely bypasses the condition that is set. Is there something wrong with my XML? I am a bit of a novice at this...

        <condition field="severity">
        <set token="selected_severity">$click.name2$</set>
        <set token="selected_hostname">$click.value$</set>

      <link target="_blank">search?q=index=NIM sourcetype=message  severity!=clear severity!=severity  hostname=$selected_hostname$ severity=$selected_severity$&amp;earliest=$TIME.earliest$&amp;latest=$TIME.latest$</link>
      </condition>

      <condition field="hostname">
        <set token="hostname">$click.value$</set>

      <link target="_blank">search?q=index=NIM sourcetype=message  severity!=clear severity!=severity  hostname=$selected_hostname$&amp;earliest=$TIME.earliest$&amp;latest=$TIME.latest$</link>

      </condition>

    </drilldown>

Thanks!

Tags (1)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Hi @mal81394,

Are you looking for something similar?

<dashboard>
  <label>Token Test for mal81394 </label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults  |eval hostname="myhostname",severity="myseverity"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <condition field="severity">
            <set token="selected_severity">$click.value2$</set>
            <set token="selected_hostname">$row.hostname$</set>
            <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$ severity=$selected_severity$</link>
          </condition>
          <condition field="hostname">
            <set token="selected_hostname">$row.hostname$</set>
            <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$</link>
          </condition>          
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Or by changing the field, as mentioned in the comments

 <dashboard>
    <label>Token Test for mal81394 </label>
    <row>
      <panel>
        <table>
          <search>
            <query>| makeresults  |eval hostname="myhostname",critical=10</query>
            <earliest>-15m</earliest>
            <latest>now</latest>
          </search>
          <option name="count">10</option>
          <option name="drilldown">cell</option>
          <option name="refresh.display">progressbar</option>
          <drilldown>
            <condition field="critical">
              <set token="selected_hostname">$row.hostname$</set>
              <set token="selected_severity">$click.name2$</set>             
              <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$ severity="$selected_severity$"</link>
            </condition>
            <condition field="hostname">
              <set token="selected_hostname">$row.hostname$</set>
              <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$</link>
            </condition>          
          </drilldown>
        </table>
      </panel>
    </row>
  </dashboard>
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @mal81394,

Are you looking for something similar?

<dashboard>
  <label>Token Test for mal81394 </label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults  |eval hostname="myhostname",severity="myseverity"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <condition field="severity">
            <set token="selected_severity">$click.value2$</set>
            <set token="selected_hostname">$row.hostname$</set>
            <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$ severity=$selected_severity$</link>
          </condition>
          <condition field="hostname">
            <set token="selected_hostname">$row.hostname$</set>
            <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$</link>
          </condition>          
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Or by changing the field, as mentioned in the comments

 <dashboard>
    <label>Token Test for mal81394 </label>
    <row>
      <panel>
        <table>
          <search>
            <query>| makeresults  |eval hostname="myhostname",critical=10</query>
            <earliest>-15m</earliest>
            <latest>now</latest>
          </search>
          <option name="count">10</option>
          <option name="drilldown">cell</option>
          <option name="refresh.display">progressbar</option>
          <drilldown>
            <condition field="critical">
              <set token="selected_hostname">$row.hostname$</set>
              <set token="selected_severity">$click.name2$</set>             
              <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$ severity="$selected_severity$"</link>
            </condition>
            <condition field="hostname">
              <set token="selected_hostname">$row.hostname$</set>
              <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$</link>
            </condition>          
          </drilldown>
        </table>
      </panel>
    </row>
  </dashboard>
Happy Splunking!
0 Karma

mal81394
New Member

@renjith.nair, I tried just adding your answer on a new dashboard and it worked. I also answered my own question. It appears that having the referenced field as the column name works well. In my case I have a value of the severity field such as "critical" as a column name and counts underneath per hostname. I would like to be able to click on a count and open a search for that hostname with the specified column severity if that makes sense. How can I do that? Also, I apologize that your comments are missing...I accidentally deleted the wrong post. Let me know your thoughts on this...Thanks!

0 Karma

mal81394
New Member

@renjith.nair, or anyone have any idea how I can accomplish this?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

according to you, you are clicking on column name "critical" and in your token evaluation, you are comparing against literal "severity" . So none of your condition matches because critical !=severity

If you want to make it work, you have to change to and so on or change the overall logic

<dashboard>
   <label>Token Test for mal81394 </label>
   <row>
     <panel>
       <table>
         <search>
           <query>| makeresults  |eval hostname="myhostname",critical=10</query>
           <earliest>-15m</earliest>
           <latest>now</latest>
         </search>
         <option name="count">10</option>
         <option name="drilldown">cell</option>
         <option name="refresh.display">progressbar</option>
         <drilldown>
           <condition field="critical">
             <set token="selected_hostname">$row.hostname$</set>
             <set token="selected_severity">$click.name2$</set>             
             <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$ severity="$selected_severity$"</link>
           </condition>
           <condition field="hostname">
             <set token="selected_hostname">$row.hostname$</set>
             <link target="_blank">search?q=index=myindex sourcetype=message  hostname=$selected_hostname$</link>
           </condition>          
         </drilldown>
       </table>
     </panel>
   </row>
 </dashboard>
Happy Splunking!
0 Karma

mal81394
New Member

@renjith.nair, Yes.....I just discovered this before you posted a reply. That worked perfectly!!! I just needed to change the reference field as you mentioned and now it works as it should. Thanks again for your help!!!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@mal81394, glad that it worked! Please accept/upvote the answer to close the thread. Thanks

Happy Splunking!
0 Karma

mal81394
New Member

@renjith.nair, I tried what you did and it still does not act like the severity condition is even there. I will paste the full xml below. The hostname functions as it should as I had before but nothing else. Imagine a chart where severity is across the top and columns are "major" "critical", and then when I click on a cell I want it to reference the column header for "major" with the corresponding hostname of that row.

$TIME.earliest$
$TIME.latest$

20
cell


$row.hostname$

      <link target="_blank">search?q=index=NIM sourcetype=message hostname=$selected_hostname$&amp;earliest=$TIME.earliest$&amp;latest=$TIME.latest$</link>

      </condition>
       <condition field="severity">
        <set token="selected_severity">$click.value2$</set>
        <set token="selected_hostname">$row.hostname$</set>

      <link target="_blank">search?q=index=NIM sourcetype=message  severity!=clear severity!=severity  hostname=$selected_hostname$ severity=$selected_severity$&amp;earliest=$TIME.earliest$&amp;latest=$TIME.latest$</link>
      </condition>


    </drilldown>
  </table>
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@mal81394, trying to understand little bit more on this ,

You are setting the token selected_severity to $click.name2$ which is nothing but field name itself and in this case "severity" (constant value always) and host token to $click.value$ which is always the left most column (if its a table) . If you want the selected_severity to always the value "severity" then you don't need the token actually.

Did you want to set the selected_severity to $click.value2$ actually ?

Reference : http://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/PanelreferenceforSimplifiedXML#Predefined_dril...

Happy Splunking!
0 Karma

mal81394
New Member

@renjith.nair , so I need severity and hostname to work in their specified conditions. One has hostname by itself if someone were to click on a hostname then it would open a search on hostname. The other would be if someone clicked on a severity it would then open the severity for the hostname in the same row. So, it appears as I thought I don't quite understand what I am doing. I don't need to token but I thought that was how I had to set it up. So how can I get those (click.value and click.name2) to work like I want? What should the xml look like? I really appreciate your help!!!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@mal81394,added as answer, please test and let me know in case you need further assistance

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...