Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Drilldown condition- How to set the token to pass the value for the panel to show depending?

yuvasree
Explorer
‎10-01-2022 10:15 AM

I have a bar chart stacked graph with time on X-axis and Success, failure count stacked on Y axis.

when i click on the success count, it needs to display the table with success transaction details. same for failure count as well. 

As of now i am passing the earliest and latest time from the bar chart with the below condition.

<eval token="e">$click.value$</eval>
<eval token="le">relative_time($click.value$, "+60m")</eval>

I have 2 panel described as Show_Success and Show_failure. Can someone help me how to set the token to pass the value for the panel to show depends on the click for success or failure. 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-03-2022 12:50 AM 
$click.name2$
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-02-2022 07:33 PM

There are additional click tokens, $click.name2$, which is the Y axis data name, e.g. (success count/failure count) and $click.value2$, which is the value of the Y element clicked. So, this type of logic in the drilldown would set appropriate tokens, which can be used for 'depends="$xx$"' 

          <eval token="success">if($click.name2$="successCount", "true", null())</eval>
          <eval token="failure">if($click.name2$="failureCount", "true", null())</eval>
          <set token="value">$click.value2$</set>

I have field names successCount and failureCount and am comparing click.name2 to the field clicked and set that to true if it's clicked or effectively unset that field (null()) if it's not clicked.

However, do you actually need two panels, could a single panel perform the same logic for both success and failure, just with some additional token setting in the drilldown.

0 Karma
Reply

yuvasree
Explorer
‎10-03-2022 01:46 AM

@bowesmana  Thanks. It worked actually, I tried as a single panel. 

When i view the bar graph for 1 month, it is showing as 1 hour bar chart graph as in query i gave it as span=1h.

Is there any possible way if i click more than a week it needs to show the count for the day.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-03-2022 04:53 PM

You can do this either by having an input where the user can select the span, with the detail 1h and you can use that token in the chart, e.g. timechart $span$ or you can have another search that is a hidden dashboard search what calculates the search window selected and then calculated an appropriate span period as you want, e.g. see this example where the hidden search calculates span depends on the time picker, with 

  • less than 1d=1h
  • less than 7d=12h
  • otherwise 1d
<form>
  <label>tst1</label>
  <init>
    <set token="span">span=1h</set>
  </init>
  <search>
    <query>
      | makeresults
      | addinfo
      | eval period=info_max_time-info_min_time
      | eval span=case(period &lt;= 86400, "span=1h", period &lt;= (86400 * 7), "span=12h", 1==1, "span=1d")
    </query>
    <done>
      <set token="span">$result.span$</set>
    </done>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time_token" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Span=$span$</title>
      <chart>
        <search>
          <query>| makeresults count=1000
          | eval _time=now() - (random() % (30 * 86400))
          | timechart $span$ count
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...