Dashboards & Visualizations

Drilldown condition match tag not working for query itself as a token

Path Finder

I am trying to make drill down in the same dashboard of Splunk Enterprise 6.4.2 version.
In the panel1, there is a pie chart with two options namely FileInspector and UMB. I am taking the input of clicked value, token as "feature" from panel1 and passing it to panel2.
In the condition part if my token $feature$ = "FileInspector", then I am setting a Query1 itself as a token called "$querytocall$". If the token $feature$ = "UMB", then setting other Query2 to the same token "$querytocall$".

At last I am passing that token "$querytocall$" itself as a search query for the Panel2. But this is not working. My panel2 is showing as "waiting for the input". Below is the code

    <drilldown>
      <set token="feature">$click.value$</set>
    </drilldown>
  </chart>
</panel>
<panel depends="$feature$">
  <title>$feature$ - Exception From Hosts Details</title>
  <chart>
    <change>
      <condition match="$feature$ == &quot;FileInspector&quot; ">
        <set token="querytocall">index=x | rex "Caused by: (?P<exception>[^\"](.+?)(.+?):)" |stats count(exception) as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
      <condition match="$feature$ == &quot;UMB&quot; ">
        <set token="querytocall">index=y |stats count as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
    </change>
    <search>
      <query>$querytocall$</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>

Could anyone please help me on this.

1 Solution

Champion

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>

View solution in original post

0 Karma

Champion

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>

View solution in original post

0 Karma

Path Finder

Hi rjthibod,

Thankyou so much for your response.

It is working now.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!