Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Drilldown condition- How to set the token to pass the value for the panel to show depending?

yuvasree
Explorer
‎10-01-2022 10:15 AM

I have a bar chart stacked graph with time on X-axis and Success, failure count stacked on Y axis.

when i click on the success count, it needs to display the table with success transaction details. same for failure count as well. 

As of now i am passing the earliest and latest time from the bar chart with the below condition.

<eval token="e">$click.value$</eval>
<eval token="le">relative_time($click.value$, "+60m")</eval>

I have 2 panel described as Show_Success and Show_failure. Can someone help me how to set the token to pass the value for the panel to show depends on the click for success or failure. 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-03-2022 12:50 AM 
$click.name2$
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-02-2022 07:33 PM

There are additional click tokens, $click.name2$, which is the Y axis data name, e.g. (success count/failure count) and $click.value2$, which is the value of the Y element clicked. So, this type of logic in the drilldown would set appropriate tokens, which can be used for 'depends="$xx$"' 

          <eval token="success">if($click.name2$="successCount", "true", null())</eval>
          <eval token="failure">if($click.name2$="failureCount", "true", null())</eval>
          <set token="value">$click.value2$</set>

I have field names successCount and failureCount and am comparing click.name2 to the field clicked and set that to true if it's clicked or effectively unset that field (null()) if it's not clicked.

However, do you actually need two panels, could a single panel perform the same logic for both success and failure, just with some additional token setting in the drilldown.

0 Karma
Reply

yuvasree
Explorer
‎10-03-2022 01:46 AM

@bowesmana  Thanks. It worked actually, I tried as a single panel. 

When i view the bar graph for 1 month, it is showing as 1 hour bar chart graph as in query i gave it as span=1h.

Is there any possible way if i click more than a week it needs to show the count for the day.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-03-2022 04:53 PM

You can do this either by having an input where the user can select the span, with the detail 1h and you can use that token in the chart, e.g. timechart $span$ or you can have another search that is a hidden dashboard search what calculates the search window selected and then calculated an appropriate span period as you want, e.g. see this example where the hidden search calculates span depends on the time picker, with 

  • less than 1d=1h
  • less than 7d=12h
  • otherwise 1d
<form>
  <label>tst1</label>
  <init>
    <set token="span">span=1h</set>
  </init>
  <search>
    <query>
      | makeresults
      | addinfo
      | eval period=info_max_time-info_min_time
      | eval span=case(period &lt;= 86400, "span=1h", period &lt;= (86400 * 7), "span=12h", 1==1, "span=1d")
    </query>
    <done>
      <set token="span">$result.span$</set>
    </done>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="time_token" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Span=$span$</title>
      <chart>
        <search>
          <query>| makeresults count=1000
          | eval _time=now() - (random() % (30 * 86400))
          | timechart $span$ count
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...