I have the following data set :
Date rank LastQuery count percent
03/18/2013 1 THE 51870 2.641512
03/18/2013 2 SEX 12562 0.639728
03/18/2013 3 BIBLE 11629 0.592214
03/18/2013 4 TWILIGHT 10622 0.540932
03/18/2013 5 THE+BIBLE 10136 0.516182
03/18/2013 6 HOUSE 6611 0.336669
I need help to create a drill down by the selected LastQuery using the following query:
Example:User clicked on LastQuery=HOUSE. This query should be used by the drill down:
splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery=HOUSE|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent
This is my xml panel. It works fine. I just need to include the drill down.
<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
<module name="StaticContentSample">
<param name="text"><![CDATA[<H1>Top N</H1>]]></param>
<param name="earliest">-1d@d</param>
<param name="groupLabel">Vespa - Combined Top N Distinct Searches - Yesterday</param>
<param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="latest">@d</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="entityName">results</param>
<param name="count">10</param>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="displayRowNumbers">true</param>
<param name="count">10</param>
<param name="allowTransformedFieldSelect">True</param>
<module name="Gimp"/>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
First, it's worth saying that if your advanced XML was ever converted from Simple XML (which most is), then a lot of the XML content and the indentation is actually unnecessary cruft carried along by the conversion process or introduced by the simple XML code itself.
Here's a quickly cleaned up version of the same XML you posted. removing the cruft makes it a bit easier to read.
<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
<param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="earliest">-1d@d</param>
<param name="latest">@d</param>
<module name="StaticContentSample">
<param name="text"><![CDATA[<H1>Top N</H1>]]></param>
<module name="JobProgressIndicator"/>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="Paginator">
<param name="entityName">results</param>
<param name="count">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="displayRowNumbers">true</param>
<param name="count">10</param>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
To answer your question, with just the Core Splunk UI I believe you can use the SimpleDrilldown module.
<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
<param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="earliest">-1d@d</param>
<param name="latest">@d</param>
<module name="StaticContentSample">
<param name="text"><![CDATA[<H1>Top N</H1>]]></param>
<module name="JobProgressIndicator"/>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="Paginator">
<param name="entityName">results</param>
<param name="count">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="displayRowNumbers">true</param>
<param name="count">10</param>
<module name="SimpleDrilldown">
<param name="links">
<param name="*">/app/search/flashtimeline?q=search splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery="$row.LastQuery$" |sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
Although NOTE 1: that example will result in an all-time search in the flashtimeline view (I'm not sure how you pass the current timerange using the core systems).
and NOTE 2: if you have characters in your search or in the actual $row.LastQuery$ that might need to be url-encoded, I'm not sure what facility SimpleDrilldown has to do that (I suspect none)
And if you're used to using the modules from Sideview Utils, and you have a reasonably current version of Sideview Utils, it would look like this, and it would url-encode weird characters correctly, as well as pass on the drilldown timerange:
<module name="Hidden" layoutPanel="panel_row5_col1" autoRun="True">
<param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="earliest">-1d@d</param>
<param name="latest">@d</param>
<module name="HTML">
<param name="html"><![CDATA[<H1>Top N</H1>]]></param>
<module name="JobProgressIndicator"/>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="Pager">
<module name="Table">
<param name="displayRowNumbers">true</param>
<module name="Redirector">
<param name="url">flashtimeline</param>
<param name="arg.q">search splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery="$row.fields.LastQuery$" |sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="arg.earliest">$search.timeRange.earliest$</param>
<param name="arg.latest">$search.timeRange.latest$</param>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>