Re: Drilldown condition

yuvasree · ‎10-01-2022

I have a bar chart stacked graph with time on X-axis and Success, failure count stacked on Y axis.

when i click on the success count, it needs to display the table with success transaction details. same for failure count as well.

As of now i am passing the earliest and latest time from the bar chart with the below condition.

<eval token="e">$click.value$</eval>
<eval token="le">relative_time($click.value$, "+60m")</eval>

I have 2 panel described as Show_Success and Show_failure. Can someone help me how to set the token to pass the value for the panel to show depends on the click for success or failure.

ITWhisperer · ‎10-03-2022

$click.name2$

bowesmana · ‎10-02-2022

There are additional click tokens, $click.name2$, which is the Y axis data name, e.g. (success count/failure count) and $click.value2$, which is the value of the Y element clicked. So, this type of logic in the drilldown would set appropriate tokens, which can be used for 'depends="$xx$"'

          <eval token="success">if($click.name2$="successCount", "true", null())</eval>
          <eval token="failure">if($click.name2$="failureCount", "true", null())</eval>
          <set token="value">$click.value2$</set>

I have field names successCount and failureCount and am comparing click.name2 to the field clicked and set that to true if it's clicked or effectively unset that field (null()) if it's not clicked.

However, do you actually need two panels, could a single panel perform the same logic for both success and failure, just with some additional token setting in the drilldown.

yuvasree · ‎10-03-2022

@bowesmana Thanks. It worked actually, I tried as a single panel.

When i view the bar graph for 1 month, it is showing as 1 hour bar chart graph as in query i gave it as span=1h.

Is there any possible way if i click more than a week it needs to show the count for the day.

bowesmana · ‎10-03-2022

You can do this either by having an input where the user can select the span, with the detail 1h and you can use that token in the chart, e.g. timechart $span$ or you can have another search that is a hidden dashboard search what calculates the search window selected and then calculated an appropriate span period as you want, e.g. see this example where the hidden search calculates span depends on the time picker, with

less than 1d=1h
less than 7d=12h
otherwise 1d

<form>
  <label>tst1</label>
  <init>
    <set token="span">span=1h</set>
  </init>
  <search>
    <query>
      | makeresults
      | addinfo
      | eval period=info_max_time-info_min_time
      | eval span=case(period &lt;= 86400, "span=1h", period &lt;= (86400 * 7), "span=12h", 1==1, "span=1d")
    </query>
    <done>
      <set token="span">$result.span$</set>
    </done>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time_token" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Span=$span$</title>
      <chart>
        <search>
          <query>| makeresults count=1000
          | eval _time=now() - (random() % (30 * 86400))
          | timechart $span$ count
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

Drilldown condition- How to set the token to pass the value for the panel to show depending?

drilldown

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM