Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Drilldown condition- How to set the token to pass the value for the panel to show depending?

yuvasree
Explorer
‎10-01-2022 10:15 AM

I have a bar chart stacked graph with time on X-axis and Success, failure count stacked on Y axis.

when i click on the success count, it needs to display the table with success transaction details. same for failure count as well. 

As of now i am passing the earliest and latest time from the bar chart with the below condition.

<eval token="e">$click.value$</eval>
<eval token="le">relative_time($click.value$, "+60m")</eval>

I have 2 panel described as Show_Success and Show_failure. Can someone help me how to set the token to pass the value for the panel to show depends on the click for success or failure. 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-03-2022 12:50 AM 
$click.name2$
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-02-2022 07:33 PM

There are additional click tokens, $click.name2$, which is the Y axis data name, e.g. (success count/failure count) and $click.value2$, which is the value of the Y element clicked. So, this type of logic in the drilldown would set appropriate tokens, which can be used for 'depends="$xx$"' 

          <eval token="success">if($click.name2$="successCount", "true", null())</eval>
          <eval token="failure">if($click.name2$="failureCount", "true", null())</eval>
          <set token="value">$click.value2$</set>

I have field names successCount and failureCount and am comparing click.name2 to the field clicked and set that to true if it's clicked or effectively unset that field (null()) if it's not clicked.

However, do you actually need two panels, could a single panel perform the same logic for both success and failure, just with some additional token setting in the drilldown.

0 Karma
Reply

yuvasree
Explorer
‎10-03-2022 01:46 AM

@bowesmana  Thanks. It worked actually, I tried as a single panel. 

When i view the bar graph for 1 month, it is showing as 1 hour bar chart graph as in query i gave it as span=1h.

Is there any possible way if i click more than a week it needs to show the count for the day.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-03-2022 04:53 PM

You can do this either by having an input where the user can select the span, with the detail 1h and you can use that token in the chart, e.g. timechart $span$ or you can have another search that is a hidden dashboard search what calculates the search window selected and then calculated an appropriate span period as you want, e.g. see this example where the hidden search calculates span depends on the time picker, with 

  • less than 1d=1h
  • less than 7d=12h
  • otherwise 1d
<form>
  <label>tst1</label>
  <init>
    <set token="span">span=1h</set>
  </init>
  <search>
    <query>
      | makeresults
      | addinfo
      | eval period=info_max_time-info_min_time
      | eval span=case(period &lt;= 86400, "span=1h", period &lt;= (86400 * 7), "span=12h", 1==1, "span=1d")
    </query>
    <done>
      <set token="span">$result.span$</set>
    </done>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time_token" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Span=$span$</title>
      <chart>
        <search>
          <query>| makeresults count=1000
          | eval _time=now() - (random() % (30 * 86400))
          | timechart $span$ count
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...