Dashboards & Visualizations

Help On Drill Down Using Avanced XML

lpolo
Motivator

I have the following data set :

Date        rank    LastQuery   count   percent
03/18/2013  1   THE     51870   2.641512
03/18/2013  2   SEX     12562   0.639728
03/18/2013  3   BIBLE       11629   0.592214
03/18/2013  4   TWILIGHT    10622   0.540932
03/18/2013  5   THE+BIBLE   10136   0.516182
03/18/2013  6   HOUSE       6611    0.336669

I need help to create a drill down by the selected LastQuery using the following query:

Example:User clicked on LastQuery=HOUSE. This query should be used by the drill down:

splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery=HOUSE|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent

This is my xml panel. It works fine. I just need to include the drill down.

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
<module name="StaticContentSample">
<param name="text"><![CDATA[<H1>Top N</H1>]]></param>
</module>
<param name="earliest">-1d@d</param>
<param name="groupLabel">Vespa - Combined Top N Distinct Searches - Yesterday</param>
<param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="latest">@d</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>displayRowNumbers</item>
<item>drilldown</item>
<item>count</item>
</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="entityName">results</param>
<param name="count">10</param>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="displayRowNumbers">true</param>
<param name="count">10</param>
<param name="allowTransformedFieldSelect">True</param>
<module name="Gimp"/>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>

Thanks,
Lp

Tags (2)
0 Karma

sideview
SplunkTrust
SplunkTrust

First, it's worth saying that if your advanced XML was ever converted from Simple XML (which most is), then a lot of the XML content and the indentation is actually unnecessary cruft carried along by the conversion process or introduced by the simple XML code itself.

Here's a quickly cleaned up version of the same XML you posted. removing the cruft makes it a bit easier to read.

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="StaticContentSample">
    <param name="text"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="count">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="displayRowNumbers">true</param>
      <param name="count">10</param>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>

To answer your question, with just the Core Splunk UI I believe you can use the SimpleDrilldown module.

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="StaticContentSample">
    <param name="text"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="count">10</param>
    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="displayRowNumbers">true</param>
      <param name="count">10</param>

      <module name="SimpleDrilldown">
        <param name="links">
          <param name="*">/app/search/flashtimeline?q=search splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery="$row.LastQuery$" |sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
        </param>
      </module>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>

Although NOTE 1: that example will result in an all-time search in the flashtimeline view (I'm not sure how you pass the current timerange using the core systems).

and NOTE 2: if you have characters in your search or in the actual $row.LastQuery$ that might need to be url-encoded, I'm not sure what facility SimpleDrilldown has to do that (I suspect none)

And if you're used to using the modules from Sideview Utils, and you have a reasonably current version of Sideview Utils, it would look like this, and it would url-encode weird characters correctly, as well as pass on the drilldown timerange:

<module name="Hidden" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="HTML">
    <param name="html"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Pager">
    <module name="Table">
      <param name="displayRowNumbers">true</param>
      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">search splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery="$row.fields.LastQuery$" |sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
        <param name="arg.earliest">$search.timeRange.earliest$</param>
        <param name="arg.latest">$search.timeRange.latest$</param>
      </module>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>

lpolo
Motivator

Thanks,
Lp

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!