Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Drilldown with same events- Having issues with pan...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lnn2204
Path Finder
04-27-2022
04:24 AM
Hi all,
I have 2 panels, I can call it like panel1 and panel2. The panel2 is detail of a value in panel1. And I didn't user post-process type. This is 2 individual panels.
The problem is the panel2 search different events, it missed the time to search.
So how i fix it?
Panel1 with drilldown token ipDownload
<search>
<query>index=...
| fields SrcIP, DownSize
| chart sum(DownSize) as Download by SrcIP
| sort 10 -Download</query>
<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
Panel2
<search>
<query>index=...
| search SrcIP="$ipDownload$"
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-27-2022
07:56 AM
Try something like this
<panel>
<chart>
<title>Top Traffic - Download</title>
<search>
<done>
<eval token="jobearly">$job.earliestTime$</eval>
<eval token="joblate">$job.latestTime$</eval>
</done>
<query>index=...
| fields SrcIP, DownSize
| chart sum(DownSize) as Download by SrcIP
| sort 10 -Download</query>
<earliest>$TimeOfTraffic.earliest$</earliest>
<latest>$TimeOfTraffic.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<drilldown>
<set token="showDownloadDetail">true</set>
<set token="ipDownload">$click.value$</set>
<eval token="early">$jobearly$</eval>
<eval token="late">$joblate$</eval>
</drilldown>
</chart>
</panel><row depends="$showDownloadDetail$">
<panel>
<table depends="$ipDownload$">
<title>Top Host Download from $ipDownload$</title>
<search>
<query>index=... earliest=$early$ latest=$late$
| search SrcIP="$ipDownload$"
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
<earliest>$TimeOfTraffic.earliest$</earliest>
<latest>$TimeOfTraffic.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-27-2022
04:35 AM
It looks like both panels are using the same time ($Time.earliest$ and $Time.latest$)
Are you wanting to use something from the row that is clicked in the first panel to modify the search in the second panel?
You can do this by adding a drilldown, setting some tokens, and use these tokens in the second search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lnn2204
Path Finder
04-27-2022
05:10 AM
I mean when i finished panel1. I click a value on that, then the panel2 will search for that value. In this case is $ipDownload$ , but it search with another time. The output is quite difference.
panel1 took 10mins to finish, so when panel2 start, it’s 10mins later. Any suggestions please..
Thanks for reading my stupid grammar. 🥲
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-27-2022
06:50 AM
Can you share your drilldown code?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lnn2204
Path Finder
04-27-2022
07:11 AM
Sure. Here it is
Panel1
<panel>
<chart>
<title>Top Traffic - Download</title>
<search>
<query>index=...
| fields SrcIP, DownSize
| chart sum(DownSize) as Download by SrcIP
| sort 10 -Download</query>
<earliest>$TimeOfTraffic.earliest$</earliest>
<latest>$TimeOfTraffic.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<drilldown>
<set token="showDownloadDetail">true</set>
<set token="ipDownload">$click.value$</set>
</drilldown>
</chart>
</panel>Panel2
<row depends="$showDownloadDetail$">
<panel>
<table depends="$ipDownload$">
<title>Top Host Download from $ipDownload$</title>
<search>
<query>index=...
| search SrcIP="$ipDownload$"
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
<earliest>$TimeOfTraffic.earliest$</earliest>
<latest>$TimeOfTraffic.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-27-2022
07:56 AM
Try something like this
<panel>
<chart>
<title>Top Traffic - Download</title>
<search>
<done>
<eval token="jobearly">$job.earliestTime$</eval>
<eval token="joblate">$job.latestTime$</eval>
</done>
<query>index=...
| fields SrcIP, DownSize
| chart sum(DownSize) as Download by SrcIP
| sort 10 -Download</query>
<earliest>$TimeOfTraffic.earliest$</earliest>
<latest>$TimeOfTraffic.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<drilldown>
<set token="showDownloadDetail">true</set>
<set token="ipDownload">$click.value$</set>
<eval token="early">$jobearly$</eval>
<eval token="late">$joblate$</eval>
</drilldown>
</chart>
</panel><row depends="$showDownloadDetail$">
<panel>
<table depends="$ipDownload$">
<title>Top Host Download from $ipDownload$</title>
<search>
<query>index=... earliest=$early$ latest=$late$
| search SrcIP="$ipDownload$"
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
<earliest>$TimeOfTraffic.earliest$</earliest>
<latest>$TimeOfTraffic.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lnn2204
Path Finder
04-27-2022
08:15 AM
It didn't work, but I tried with
<row depends="$showDownloadDetail$">
<panel>
<table depends="$ipDownload$">
<title>Top Host Download from $ipDownload$</title>
<search>
<query>index=...
| search SrcIP="$ipDownload$"
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
<earliest>$early$</earliest>
<latest>$late$</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
So it worked perfectly. And we can remove the <eval> in drilldown, then call the token directly from <done>.
By the way, i don't know how to find something like <done> tag, could you send me some docs about this.
Get Updates on the Splunk Community!
Splunk APM & RUM | Upcoming Planned Maintenance
There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...
Part 2: Diving Deeper With AIOps
Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence
Watch ...
User Groups | Upcoming Events!
If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...
