Dashboards & Visualizations

Drilldown condition match tag not working for query itself as a token

akarivaratharaj
Communicator

I am trying to make drill down in the same dashboard of Splunk Enterprise 6.4.2 version.
In the panel1, there is a pie chart with two options namely FileInspector and UMB. I am taking the input of clicked value, token as "feature" from panel1 and passing it to panel2.
In the condition part if my token $feature$ = "FileInspector", then I am setting a Query1 itself as a token called "$querytocall$". If the token $feature$ = "UMB", then setting other Query2 to the same token "$querytocall$".

At last I am passing that token "$querytocall$" itself as a search query for the Panel2. But this is not working. My panel2 is showing as "waiting for the input". Below is the code

    <drilldown>
      <set token="feature">$click.value$</set>
    </drilldown>
  </chart>
</panel>
<panel depends="$feature$">
  <title>$feature$ - Exception From Hosts Details</title>
  <chart>
    <change>
      <condition match="$feature$ == &quot;FileInspector&quot; ">
        <set token="querytocall">index=x | rex "Caused by: (?P<exception>[^\"](.+?)(.+?):)" |stats count(exception) as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
      <condition match="$feature$ == &quot;UMB&quot; ">
        <set token="querytocall">index=y |stats count as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
    </change>
    <search>
      <query>$querytocall$</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>

Could anyone please help me on this.

1 Solution

rjthibod
Champion

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>

View solution in original post

0 Karma

rjthibod
Champion

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>
0 Karma

akarivaratharaj
Communicator

Hi rjthibod,

Thankyou so much for your response.

It is working now.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...