Solved: Display data from two rows when using drilldown

Splunk_noobie · ‎03-27-2021

Hi All,

I have a table with 5 rows as shown below.

Report      Count     Comments
Report 1    22         abc
Report 2    786        def
Report 3    10,037     ghi
Report 4    719        jkl

When I click on any row, it displays data for that row using the <option name="drilldown">row</option> in my template like this :

Hi Team,
According to our splunk logs below are the top reports having high count:

Report: Report1
Comment: abc
Count: 22

If you have any questions please feel free to contact us.

Regards

Support Team

---------END of my display message----------

Now when i click 2nd row(after clicking the first row) I want 2nd row data also to be displayed along with the above results so that the output looks like this:

Hi Team,
According to our splunk logs below are the top reports having high count:

Report: Report1
Comment: abc
Count: 22

Report: Report2
Comment: def
Count: 786

If you have any questions please feel free to contact us.

Regards

Support Team

---------END of my display message----------

This is the code i have used :

<row> 
<panel> 
<table> 
<title>click a row for more details</title> 
<search base="main_search"> <query>| table reportName count comments</query> 
</search> 
<option name="count">10</option> 
<option name="dataOverlayMode">none</option> 
<option name="drilldown">row</option> 
<option name="refresh.display">progressbar</option>
 <option name="rowNumbers">false</option> 
<option name="wrap">true</option> 
<fields>$table_fields$</fields> 
<drilldown> 
<eval token="customer_comment_en"> 
" Report: ".$ReportId$." 
Count: ".$count$." 
Comments: ".$comment$." 
" 
</eval> 
<set token="drilldown_display">block</set> 
</drilldown> 
</table> 
</panel> 
</row> 
<row depends="$drilldown_display$"> 
<panel> <html> <h1 class="SectionHeader">Customer Communication</h1> <div style="float:left; width:calc(95% - 50px);" class="pageInfo"> 
<pre> 
Hi Team, According to our splunk logs below are the top reports having high count: 
$customer_comment_en$ 

If you have any questions please feel free to contact us. 
Regards Support Team 
</pre> 
</div> 
</html> 
</panel> 
<panel>

Basically i want to access data for not just one row, but multiple rows when i click on them and display

Can anyone help?

ITWhisperer · ‎03-31-2021

Try removing the extra newline after $customer_comment_en$.

<eval token="customer_comment_en">if(isnull($customer_comment_en$),"
jobId : ".$row.jobId$."
User ID : ".$row.userId$."
",$customer_comment_en$."
jobId : ".$row.jobId$."
User ID : ".$row.userId$."
")
</eval>

View solution in original post

Splunk_noobie · ‎03-31-2021

Perfecto @ITWhisperer That feeling after you work on a problem for days and finally it works !!!!

Just another quick question if you could help?

I have a panel displaying tabular data.

I want to display the top 3 rows from that table in my template block. How do we achieve this?

Let me know if you want me to create a separate thread for this.

ITWhisperer · ‎03-31-2021

I think you need a separate thread for this, partly so that you (and others) will know when there is a solution.

However, what is wrong with the table visualisation with the query limited to 3 results (head 3)?

ITWhisperer · ‎03-27-2021

<drilldown> 
<eval token="customer_comment_en">$customer_comment_en$. 
" Report: ".$ReportId$." 
Count: ".$count$." 
Comments: ".$comment$." 
" 
</eval> 
<set token="drilldown_display">block</set> 
</drilldown>

Splunk_noobie · ‎03-31-2021

Hi @ITWhisperer

Thanks for the quick turnaround. I guess you got my question wrong. The intention here is

-> jobId : ".$row.jobId$." gives me the result of the row I clicked ( which is easy and common to implement)

jobId: 7828978761cjk

-> Now when I click another row from the table, I want that result to be added to the previous data

jobId: 7828978761cjk (result from the previous click)

jobId: 9887521348typ (result from current click)

Is there any ".$row2.jobId$." function that I can use?

ITWhisperer · ‎03-31-2021

I guess you got my answer wrong! The eval in the drilldown takes the current contents of the token and dot-appends the new data

<eval token="customer_comment_en">$customer_comment_en$.

Splunk_noobie · ‎03-31-2021

@ITWhisperer Got your point. That's a really good solution 😄

I just tried adding the red text below as suggested by you in my dashboard and it doesn't work. Any thoughts?

<drilldown target="_blank">
<eval token="customer_comment_en">$customer_comment_en$.
"
jobId : ".$row.jobId$."
User ID : ".$row.userId$."
"
</eval>

<set token="drilldown_display">block</set>

</drilldown>

<row depends="$drilldown_display$">
<panel> 
<html>
<h1 class="SectionHeader">Case Updation Template </h1>
<div style="float:left; width:calc(95% - 100px);" class="pageInfo">
<pre>
Hi Team,

Please check the below data from our query:
$customer_comment_en$

</pre>

</div>
</html>
</panel>

</row>

ITWhisperer · ‎03-31-2021

OK it looks like we need to deal with the situation where the token is null

<eval token="customer_comment_en">if(isnull($customer_comment_en$),"
jobId : ".$row.jobId$."
User ID : ".$row.userId$."
",$customer_comment_en$. 
"
jobId : ".$row.jobId$."
User ID : ".$row.userId$."
")
</eval>

Splunk_noobie · ‎03-31-2021

@ITWhisperer Yep. Agree with logic. It's a good one,

but the only output in my template block is :

Hi Team,

Please check the below data from our query: 
$customer_comment_en$

ITWhisperer · ‎03-31-2021

Try removing the extra newline after $customer_comment_en$.

<eval token="customer_comment_en">if(isnull($customer_comment_en$),"
jobId : ".$row.jobId$."
User ID : ".$row.userId$."
",$customer_comment_en$."
jobId : ".$row.jobId$."
User ID : ".$row.userId$."
")
</eval>

Display data from two rows when using drilldown

drilldown

panel

simple XML

token

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases