Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Drilldown with same events- Having issues with panel2

lnn2204
Path Finder
‎04-27-2022 04:24 AM

Hi all,

I have 2 panels, I can call it like panel1 and panel2. The panel2 is detail of a value in panel1. And I didn't user post-process type. This is 2 individual panels.

The problem is the panel2 search different events, it missed the time to search. 

So how i fix it?

Panel1 with drilldown token ipDownload

 

 

 

<search>
<query>index=...
| fields SrcIP, DownSize
| chart sum(DownSize) as Download by SrcIP
| sort 10 -Download</query>
<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>

 

 

 

Panel2

 

 

 

<search>
          <query>index=...
| search SrcIP="$ipDownload$" 
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>

 

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 07:56 AM

Try something like this

<panel>
  <chart>
	<title>Top Traffic - Download</title>
	<search>
          <done>
            <eval token="jobearly">$job.earliestTime$</eval>
            <eval token="joblate">$job.latestTime$</eval>
          </done>
	  <query>index=...
| fields SrcIP, DownSize
| chart sum(DownSize) as Download by SrcIP
| sort 10 -Download</query>
	  <earliest>$TimeOfTraffic.earliest$</earliest>
	  <latest>$TimeOfTraffic.latest$</latest>
	  <sampleRatio>1</sampleRatio>
	</search>
	<drilldown>
	  <set token="showDownloadDetail">true</set>
	  <set token="ipDownload">$click.value$</set>
          <eval token="early">$jobearly$</eval>
          <eval token="late">$joblate$</eval>
	</drilldown>
  </chart>
</panel>
<row depends="$showDownloadDetail$">
    <panel>
      <table depends="$ipDownload$">
        <title>Top Host Download from $ipDownload$</title>
        <search>
          <query>index=... earliest=$early$ latest=$late$
| search SrcIP="$ipDownload$" 
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
          <earliest>$TimeOfTraffic.earliest$</earliest>
          <latest>$TimeOfTraffic.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 04:35 AM

It looks like both panels are using the same time ($Time.earliest$ and $Time.latest$)

Are you wanting to use something from the row that is clicked in the first panel to modify the search in the second panel?

You can do this by adding a drilldown, setting some tokens, and use these tokens in the second search

0 Karma
Reply
Solved! Jump to solution

lnn2204
Path Finder
‎04-27-2022 05:10 AM

I mean when i finished panel1. I click a value on that, then the panel2 will search for that value. In this case is $ipDownload$ , but it search with another time. The output is quite difference.

panel1 took 10mins to finish, so when panel2 start, it’s 10mins later. Any suggestions please..

Thanks for reading my stupid grammar. 🥲

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 06:50 AM

Can you share your drilldown code?

0 Karma
Reply
Solved! Jump to solution

lnn2204
Path Finder
‎04-27-2022 07:11 AM

Sure. Here it is

Panel1

<panel>
  <chart>
	<title>Top Traffic - Download</title>
	<search>
	  <query>index=...
| fields SrcIP, DownSize
| chart sum(DownSize) as Download by SrcIP
| sort 10 -Download</query>
	  <earliest>$TimeOfTraffic.earliest$</earliest>
	  <latest>$TimeOfTraffic.latest$</latest>
	  <sampleRatio>1</sampleRatio>
	</search>
	<drilldown>
	  <set token="showDownloadDetail">true</set>
	  <set token="ipDownload">$click.value$</set>
	</drilldown>
  </chart>
</panel>

Panel2

<row depends="$showDownloadDetail$">
    <panel>
      <table depends="$ipDownload$">
        <title>Top Host Download from $ipDownload$</title>
        <search>
          <query>index=... 
| search SrcIP="$ipDownload$" 
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
          <earliest>$TimeOfTraffic.earliest$</earliest>
          <latest>$TimeOfTraffic.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 07:56 AM

Try something like this

<panel>
  <chart>
	<title>Top Traffic - Download</title>
	<search>
          <done>
            <eval token="jobearly">$job.earliestTime$</eval>
            <eval token="joblate">$job.latestTime$</eval>
          </done>
	  <query>index=...
| fields SrcIP, DownSize
| chart sum(DownSize) as Download by SrcIP
| sort 10 -Download</query>
	  <earliest>$TimeOfTraffic.earliest$</earliest>
	  <latest>$TimeOfTraffic.latest$</latest>
	  <sampleRatio>1</sampleRatio>
	</search>
	<drilldown>
	  <set token="showDownloadDetail">true</set>
	  <set token="ipDownload">$click.value$</set>
          <eval token="early">$jobearly$</eval>
          <eval token="late">$joblate$</eval>
	</drilldown>
  </chart>
</panel>
<row depends="$showDownloadDetail$">
    <panel>
      <table depends="$ipDownload$">
        <title>Top Host Download from $ipDownload$</title>
        <search>
          <query>index=... earliest=$early$ latest=$late$
| search SrcIP="$ipDownload$" 
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
          <earliest>$TimeOfTraffic.earliest$</earliest>
          <latest>$TimeOfTraffic.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>
0 Karma
Reply
Solved! Jump to solution

lnn2204
Path Finder
‎04-27-2022 08:15 AM

It didn't work, but I tried with 

 

<row depends="$showDownloadDetail$">
    <panel>
      <table depends="$ipDownload$">
        <title>Top Host Download from $ipDownload$</title>
        <search>
          <query>index=...
| search SrcIP="$ipDownload$" 
| stats sum(DownSize) as Download by DstIP Client AppProtocol
| sort 10 -Size
| table DstIP, Client, AppProtocol, Download </query>
          <earliest>$early$</earliest>
          <latest>$late$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>

 

So it worked perfectly. And we can remove the <eval> in drilldown, then call the token directly from <done>.

By the way, i don't know how to find something like <done> tag, could you send me some docs about this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...