Dashboards & Visualizations

How can use to post process to drill down ?

Motivator

Hi..

I have a base search query from which i am taking results to a postprocess module 1 and plotting a graph now on clickin on the clicking the graph , i am passing the values of the clicked on graph to other post process module 2.

can you please help in this..my code snippnet used is

<module name="Search" layoutPanel="viewHeader" autoRun="False">
    <param name="search">index="mysearch" ( "Request" OR "response" ) | stats count by UniqueId,Channel,ChannelName</param>
        <module name="PostProcess">
        <param name="search">| stats count by Channel</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
            <param name="charting.chart">bar</param>
            <param name="charting.secondaryAxisTitle.text">Request Count</param>
            <param name="charting.legend.placement">right</param>
            <param name="charting.primaryAxisTitle.text">Channel</param>
            <module name="JobProgressIndicator"/>
            <module name="FlashChart">
                <param name="drilldownPrefix">click1</param>
                <param name="width">100%</param>
                <param name="height">300px</param>
                <param name="enableResize">False</param>
                <module name="PostProcess">
                    <param name="search">| search Channel="$channel$" |stats count by UniqueId,ChannelName</param>
                    <module name="ConvertToIntention">
                        <param name="intention">
                            <param name="flags">
                                <item>indexed</item>
                            </param>
                            <param name="name">stringreplace</param>
                    <param name="arg">
<param name="channel">
                        <param name="value">$click1.value$</param>
                                </param>
                            </param>
                        </param>
                    <module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp1">
                            <param name="count">300</param>
                            <param name="displayMenu">True</param>
                            <param name="drilldown">none</param>
                            <param name="displayRowNumbers">true</param>
                        </module>

                    </module>
                </module>
            </module>
        </module>
    </module>
</module>

Please help me !!

Tags (2)

SplunkTrust
SplunkTrust

Since you're using the Sideview PostProcess module, then you don't need that ConvertToIntention module at all. Delete that ConvertToIntention module and just do this right in the Sideview PostProcess module:

<param name="search">| search Channel="$click1.value$" |stats count by UniqueId,ChannelName</param>

You can also use the Sideview Pager module instead of Paginator, and Pager works with postProcess searches (in that it draws the correct number of page links so as to account for the postprocess search whereas the Paginator does not), so you can safely page your SimpleResultsTable then.

So your whole drilldown config then becomes.

<module name="PostProcess">
  <param name="search">| search Channel="$click1.value$" |stats count by UniqueId,ChannelName</param>
  <module name="Pager" layoutPanel="panel_row2_col1_grp1">
    <module name="SimpleResultsTable">
      <param name="count">300</param>
      <param name="displayMenu">True</param>
      <param name="drilldown">none</param>
      <param name="displayRowNumbers">true</param>
    </module>
  </module>
</module>

Splunk Employee
Splunk Employee

Try this dashboard out. I did not use PostProcess so if that is necessary it could add another level of complexity.

Try this code out first and then switch in your stats arguements.

   <view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
  <label>drilldown dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader" />
  <module name="AppBar" layoutPanel="appHeader" />      
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
  </module>
   <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">
        index=_internal sourcetype="splunk_web_access" | stats count by status
    </param>
    <param name="earliest">-1h</param>

    <module name="HiddenChartFormatter">
      <param name="charting.chart">bar</param>
      <param name="charting.primaryAxisTitle.text">Sourcetype</param>
      <param name="charting.secondaryAxisTitle.text">KB Indexed</param>
      <param name="charting.legend.placement">none</param>
      <module name="JobProgressIndicator"/>

      <!-- The JSChart containing drilldowns -->
      <module name="JSChart">
        <param name="width">100%</param>
        <param name="height">160px</param>
        <module name="ConvertToIntention">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="status">$click.value$</param>
            </param>
            <param name="flags"><list>indexed</list></param>
            </param>

        <!-- Swap out the search to a timechart.  -->
        <module name="HiddenSearch">
          <param name="search">
             index=_internal sourcetype="splunk_web_access" | stats count by uri_path, user
          </param>
        <param name="earliest">-1h</param>
          <!-- 
            Grab the value clicked on and put it in a searchterm: series="someSourcetype".
          -->

            <module name="JobProgressIndicator"></module>

            <!-- Throw in a header so the user sees what they clicked. -->
            <module name="SimpleResultsHeader">
              <param name="entityName">results</param>
              <param name="headerFormat">Click value = $click.value$ $time$</param>
            </module> <!-- SimpleResultsHeader -->
            <module name="Paginator">
              <param name="entityName">results</param>
              <param name="maxPages">10</param>

              <module name="SimpleResultsTable">
                <param name="entityName">results</param>
              </module> 
          </module>
          </module> 
        </module> 
      </module> 
    </module> 
  </module> 

</view>
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!