Re: Help On Drill Down Using Avanced XML

lpolo · ‎03-19-2013

I have the following data set :

Date        rank    LastQuery   count   percent
03/18/2013  1   THE     51870   2.641512
03/18/2013  2   SEX     12562   0.639728
03/18/2013  3   BIBLE       11629   0.592214
03/18/2013  4   TWILIGHT    10622   0.540932
03/18/2013  5   THE+BIBLE   10136   0.516182
03/18/2013  6   HOUSE       6611    0.336669

I need help to create a drill down by the selected LastQuery using the following query:

Example:User clicked on LastQuery=HOUSE. This query should be used by the drill down:

splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery=HOUSE|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent

This is my xml panel. It works fine. I just need to include the drill down.

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
<module name="StaticContentSample">
<param name="text"><![CDATA[<H1>Top N</H1>]]></param>
</module>
<param name="earliest">-1d@d</param>
<param name="groupLabel">Vespa - Combined Top N Distinct Searches - Yesterday</param>
<param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="latest">@d</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>displayRowNumbers</item>
<item>drilldown</item>
<item>count</item>
</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="entityName">results</param>
<param name="count">10</param>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="displayRowNumbers">true</param>
<param name="count">10</param>
<param name="allowTransformedFieldSelect">True</param>
<module name="Gimp"/>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>

Thanks,
Lp

sideview · ‎03-19-2013

First, it's worth saying that if your advanced XML was ever converted from Simple XML (which most is), then a lot of the XML content and the indentation is actually unnecessary cruft carried along by the conversion process or introduced by the simple XML code itself.

Here's a quickly cleaned up version of the same XML you posted. removing the cruft makes it a bit easier to read.

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="StaticContentSample">
    <param name="text"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="count">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="displayRowNumbers">true</param>
      <param name="count">10</param>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>

To answer your question, with just the Core Splunk UI I believe you can use the SimpleDrilldown module.

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="StaticContentSample">
    <param name="text"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="count">10</param>
    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="displayRowNumbers">true</param>
      <param name="count">10</param>

      <module name="SimpleDrilldown">
        <param name="links">
          <param name="*">/app/search/flashtimeline?q=search splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery="$row.LastQuery$" |sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
        </param>
      </module>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>

Although NOTE 1: that example will result in an all-time search in the flashtimeline view (I'm not sure how you pass the current timerange using the core systems).

and NOTE 2: if you have characters in your search or in the actual $row.LastQuery$ that might need to be url-encoded, I'm not sure what facility SimpleDrilldown has to do that (I suspect none)

And if you're used to using the modules from Sideview Utils, and you have a reasonably current version of Sideview Utils, it would look like this, and it would url-encode weird characters correctly, as well as pass on the drilldown timerange:

<module name="Hidden" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="HTML">
    <param name="html"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Pager">
    <module name="Table">
      <param name="displayRowNumbers">true</param>
      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">search splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery="$row.fields.LastQuery$" |sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
        <param name="arg.earliest">$search.timeRange.earliest$</param>
        <param name="arg.latest">$search.timeRange.latest$</param>
      </module>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>

lpolo · ‎03-20-2013

Thanks,
Lp

Help On Drill Down Using Avanced XML

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation