Dashboards & Visualizations

How can I get drill down working for a trellis chart.

ksextonmacb
Path Finder

I have a dashboard containing a trellis of pie charts, and a table with some extra variables.

I am trying to get the trellis charts to pass information to the table on a click using the drilldown functionality.

I can successfully drill down using a table built from the same data, but not with a trellis. When using a trellis, the click appears to do nothing.

EDIT: I think the issue is in the trellis graph itself not causing the drilldown effect, because since I asked the question I've tried setting/reading junk tokens (just set something to the boolean value true) and the dashboard won't react to those, either.

I've read through the documentation and it's my understanding that what I've got ought to work.

Here's my dashboard.

<dashboard>
  <label>Test_Ops_Portal Clone</label>
  <search id="First_Base_Search">
    <query>host=afemsiscm sourcetype="snmp_walk_results" | head 1 | rex max_match=0 field=_raw "(?<lineData>[^\n]+)" | mvexpand lineData | eval _raw=lineData | rex "Process\s+(?P<process_name>\w+) (?P<process_status>is( not)?) running on\s+(?P<server_name>\w+)" | eval process_status = if(process_status == "is", "up", "down")</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <title>Dev</title>
      <html>
       <style>
       #dev_trellis .highcharts-tooltip{
         visibility:hidden;
       }
       </style>
      </html>
      <chart id="dev_trellis">
        <search base="First_Base_Search">
          <query>where like(server_name, "%dev%") | stats count(process_name) by server_name, process_status</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.showLabels">0</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.fieldColors">{"down":0xFF0000,"up":0x00FF00}</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
        <option name="height">194</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">server_name</option>
        <drilldown>
          <set token="selected_value">$trellis.name$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Processes for $selected_value$</title>
      <table>
        <search base="First_Base_Search">
          <query>where server_name == "$selected_value$" | table server_name, process_name | rename server_name AS "Server",process_name AS "Process"</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>
1 Solution

niketn
Legend

@ksextonmacb, change your drilldown value from $trellis.name$ to $trellis.value$

     <drilldown>
       <set token="selected_value">$trellis.value$</set>
     </drilldown>

In simple words $trellis.name$ will pick the name of pie-slice and $trellis.value$ will pick the name of pie chart itself.
Based on example seems like you need Server Name which is the name of Pie Chart, hence it would be accessible via $trellis.value$.
However, in case you need to pass on the pie chart slice name you will have to make tooltip text visible (may be override its size to 0px by 0px), so that $trellis.name$ will be available as predefined token.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

christopheryu
Communicator

Thank you for posting answer. As additional question, can I set an initial value for this toke, like all values or "*"?

0 Karma

niketn
Legend

@ksextonmacb, change your drilldown value from $trellis.name$ to $trellis.value$

     <drilldown>
       <set token="selected_value">$trellis.value$</set>
     </drilldown>

In simple words $trellis.name$ will pick the name of pie-slice and $trellis.value$ will pick the name of pie chart itself.
Based on example seems like you need Server Name which is the name of Pie Chart, hence it would be accessible via $trellis.value$.
However, in case you need to pass on the pie chart slice name you will have to make tooltip text visible (may be override its size to 0px by 0px), so that $trellis.name$ will be available as predefined token.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ksextonmacb
Path Finder

Thanks for the response.

I only need the name of the pie chart.

Changing the value to $trellis.value$ did not fix the issue. Clicking on a pie chart still doesn't do anything.

I think the issue is in the trellis graph itself not causing the drilldown effect, because since I asked the question I've tried setting/reading junk tokens (just set something to the boolean value true) and the dashboard won't react to those, either.

0 Karma

niketn
Legend

@ksextonmacb, I tried the following run-anywhere search, and the drilldown worked for me just fine.

  <row>
    <panel>
      <title>Dev</title>
      <html>
          <style>
          #dev_trellis .highcharts-tooltip{
            visibility:hidden;
          }
          </style>
       </html>
      <chart id="dev_trellis">
        <search>
          <query>index=_internal sourcetype=splunkd 
| chart count over component by log_level 
| sort - count 
| head 10</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.showLabels">0</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.fieldColors">{"down":0xFF0000,"up":0x00FF00}</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
        <option name="height">300</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
        <drilldown>
          <set token="selected_value">$trellis.value$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Processes for $selected_value$</title>
      <table>
        <search>
          <query>| makeresults 
| eval SelectedValue="$selected_value$"</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ksextonmacb
Path Finder

Thanks to your example and on further inspection I am convinced this is a bug in Splunk related to hiding tooltips.

I can put both of these trellis charts on the same dashboard, and yours works somewhat while mine never works.

The difference is that in both, if I leave tooltips on, your trellis has a smaller tooltip than mine. Mine would cover the entire chart, rendering it unclickable. In both charts, there is a deadzone where the tooltip used to be, but your example still has some chart available to click and I can therefore use drilldown.

This is further supported by the cursor changing over to a finger outside of the deadzone, and to an arrow inside of the deadzone in your example chart. In my chart I only ever get the arrow.

I tried setting the tooltip size to 0,0 and Splunk just ignored it and displayed the tooltip anyway.

       #dev_trellis .highcharts-tooltip{
         width:0px;
         height:0px;
       }

What does work is your solution my previous question, with one line added to ignore pointer events.

       #dev_trellis .highcharts-tooltip{
         visibility: hidden;
         pointer-events: none;
       }

Thanks for the all of the help.

0 Karma

niketn
Legend

Following will make entire pie chart clickable since it removes the tooltip text and plots empty svg.

       <style>
         #dev_trellis .highcharts-tooltip{
           visibility:hidden;
           top:-9999px !important;
         }
         #dev_trellis .highcharts-tooltip path{
           d: path('') !important;
         }   
       </style>

Following is the complete code for testing.

<row>  
    <panel>
      <title>Dev</title>
      <html>
           <style>
             #dev_trellis .highcharts-tooltip{
               visibility:hidden;
               top:-9999px !important;
             }
             #dev_trellis .highcharts-tooltip path{
               d: path('') !important;
             }   
           </style>
        </html>
      <chart id="dev_trellis">
        <search>
          <query>index=_internal sourcetype=splunkd 
 | chart count over component by log_level 
 | eval log_level=log_level."(Count=".count
 | sort - count 
 | head 10
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.showLabels">0</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.fieldColors">{"down":0xFF0000,"up":0x00FF00}</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
        <option name="height">300</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
        <drilldown>
          <set token="selected_value">$trellis.value$</set>
          <set token="selected_name">$trellis.name$</set>
        </drilldown>
      </chart>
    </panel>


    <panel>
      <title>Trellis Tokens: $selected_value$  $selected_name$</title>
      <table>
        <search>
          <query>| makeresults 
 | eval SelectedValue="$selected_value$"
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
</row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Trellis tokens do not seem to be available when we use split by field as aggregation. Also somehow without the change in code, when I switched between several visualizations and then came back to pie chart trellis, tokens stopped working. So, try to create a fresh trellis and the tokens should work provided you have split by field name from your query not by aggregation.

Having said this, there is definitely some bug and the same should be reported.

Please check and confirm if your issue of drilldown is resolved as Tooltip related area should not prevent clicking with new CSS.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@ksextonmacb, please test and accept the answer if this allows you to click anywhere on the chart.

Also tag bug to this question (or a new one) for unexpected behavior with Trellis drilldown tokens when created using aggregate and also drilldown behavior change while switching between visualizations with Trellis. If you have Splunk Entitlement you can bring these to Splunk's Support Team's attention as well.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Tags (1)

ksextonmacb
Path Finder

Thanks for the reminder.

My Splunk server had been down for a long time, but it's back up now and that style change works. Problem solved.

I changed a tag to bug as requested.

I don't know if I have Splunk Entitlement, so I'm presuming I don't.

Thanks for the help.

0 Karma

patmcglone
Engager

@niketnilay

Thanks for the run anywhere example!

I noticed that both closing "query" tags were missing and have added that below:

     <row>  
         <panel>
           <title>Dev</title>
           <html>
                <style>
                  #dev_trellis .highcharts-tooltip{
                    visibility:hidden;
                    top:-9999px !important;
                  }
                  #dev_trellis .highcharts-tooltip path{
                    d: path('') !important;
                  }   
                </style>
             </html>
           <chart id="dev_trellis">
             <search>
               <query>index=_internal sourcetype=splunkd 
      | chart count over component by log_level 
      | eval log_level=log_level."(Count=".count
      | sort - count 
      | head 10
              </query>
               <earliest>-24h</earliest>
               <latest>now</latest>
             </search>
             <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
             <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
             <option name="charting.axisTitleX.visibility">collapsed</option>
             <option name="charting.axisTitleY.visibility">collapsed</option>
             <option name="charting.axisTitleY2.visibility">collapsed</option>
             <option name="charting.axisX.scale">linear</option>
             <option name="charting.axisY.scale">linear</option>
             <option name="charting.axisY2.enabled">0</option>
             <option name="charting.axisY2.scale">inherit</option>
             <option name="charting.chart">pie</option>
             <option name="charting.chart.bubbleMaximumSize">50</option>
             <option name="charting.chart.bubbleMinimumSize">10</option>
             <option name="charting.chart.bubbleSizeBy">area</option>
             <option name="charting.chart.nullValueMode">gaps</option>
             <option name="charting.chart.showDataLabels">none</option>
             <option name="charting.chart.showLabels">0</option>
             <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
             <option name="charting.chart.stackMode">default</option>
             <option name="charting.chart.style">shiny</option>
             <option name="charting.drilldown">all</option>
             <option name="charting.fieldColors">{"down":0xFF0000,"up":0x00FF00}</option>
             <option name="charting.layout.splitSeries">0</option>
             <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
             <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
             <option name="charting.legend.placement">none</option>
             <option name="height">300</option>
             <option name="trellis.enabled">1</option>
             <option name="trellis.scales.shared">1</option>
             <option name="trellis.size">small</option>
             <option name="trellis.splitBy">component</option>
             <drilldown>
               <set token="selected_value">$trellis.value$</set>
               <set token="selected_name">$trellis.name$</set>
             </drilldown>
           </chart>
         </panel>


         <panel>
           <title>Trellis Tokens: $selected_value$  $selected_name$</title>
           <table>
             <search>
               <query>| makeresults 
      | eval SelectedValue="$selected_value$"
             </query>
             </search>
             <option name="count">20</option>
             <option name="dataOverlayMode">none</option>
             <option name="drilldown">none</option>
             <option name="percentagesRow">false</option>
             <option name="rowNumbers">true</option>
             <option name="totalsRow">false</option>
             <option name="wrap">true</option>
           </table>
         </panel>
     </row>

niketn
Legend

@patmcglone, thanks for cleanup. I think somehow the code for <query> tag did not got escaped while posting on Splunk Answers. Do up vote the answer if it has helped in your use case. Thanks again for the correction!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...