Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How could I pass different search commands to different cells at one row using drilldown on dashboard?

Jennifer
Path Finder
‎01-28-2022 12:34 AM

Hi, all!

I am very confused with drilldown right now. I hope to set three different search commands to three columns on the table using drilldown!

But right now, when I click one of these cells, it will jump to one result. I don't know how I could edit the simple XML to feed the requirements.

Jennifer_0-1643358661000.png

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-28-2022 01:25 AM

 

 

You can have conditions in your drilldown so you could have different drilldowns depending on which column is clicked

 

<drilldown>
<condition field="Appl.log">
<link target="_blank">search?q=index=%22hkcivr%22%20source=%22/appvol/wlp/DIVR01HK-AS01/applogs/Appl.log*%22%20$click.value2$&amp;earliest=0&amp;latest=</link>
</condition>
<condition field="Mi.log">
<link target="_blank">search?q=index=%22hkcivr%22%20source=%22/appvol/wlp/DIVR01HK-AS01/applogs/Mi.log*%22%20$click.value2$&amp;earliest=0&amp;latest=</link>
</condition>
</drilldown>

 

This relies on knowing what the columns will be called so you may need to modify your search query to fix the names e.g. using rename

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-28-2022 01:25 AM

 

 

You can have conditions in your drilldown so you could have different drilldowns depending on which column is clicked

 

<drilldown>
<condition field="Appl.log">
<link target="_blank">search?q=index=%22hkcivr%22%20source=%22/appvol/wlp/DIVR01HK-AS01/applogs/Appl.log*%22%20$click.value2$&amp;earliest=0&amp;latest=</link>
</condition>
<condition field="Mi.log">
<link target="_blank">search?q=index=%22hkcivr%22%20source=%22/appvol/wlp/DIVR01HK-AS01/applogs/Mi.log*%22%20$click.value2$&amp;earliest=0&amp;latest=</link>
</condition>
</drilldown>

 

This relies on knowing what the columns will be called so you may need to modify your search query to fix the names e.g. using rename

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2022 12:54 AM

Hi @Jennifer,

when you create a drilldown, you can pass more parameters clicking on one row, e.g. if you want to pass both "Appl.log" and Mi.log" values, you can insert in your drilldown bothe the fields, you can do this via gui or via source.

via source, you'll have something like this:

<drilldown>
   <link target="_blank">/app/your_app/secondary_dashboard?Appl_log=$row.Appl.log$&amp;Mi_log=$row.Mi.log$</link>
</drilldown>

An example of this approach is time period: usually in drilldown you should pass also the time period of the main search, so if your Time Picker token is called "Time", you should also pass "$Time.earliest$" and "$Time.latest$", something like this:

<drilldown>
   <link target="_blank">/app/your_app/secondary_dashboard?Appl_log=$row.Appl.log$&amp;Mi_log=$row.Mi.log$&amp;earliest=$Time.earliest$&amp;latest=$Time.latest$</link>
</drilldown>

Beware: It isn't a good idea to use spaces or dots or parenthesis in the field names.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

Jennifer
Path Finder
‎01-28-2022 01:01 AM

Hi, Giuseppe!

Thanks a lot!

Here's the original source XML:

<drilldown>
<link target="_blank">search?q=index=%22hkcivr%22%20source=%22/appvol/wlp/DIVR01HK-AS01/applogs/progresshk.log*%22%20$click.value2$&amp;earliest=0&amp;latest=</link>
</drilldown>

I don't know how to edit it as you suggested!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2022 01:14 AM

Hi @Jennifer,

I suppose that in your use case the secondary dashboard is the Search dashboard, I usually prefer creating a new dashboard with many panels containing the search instead the search form, to have an higher control on results and give to users an easier interface.

Anyway, in your case to pass Appl.log and Mi.log values to the search, try something like this:

<drilldown>
   <link target="_blank">search?q=index=%22hkcivr%22%20source=%22/appvol/wlp/DIVR01HK-AS01/applogs/progresshk.log*%22&amp;Appl.log=%22$row.Appl.log$%22&amp;Mi.log=%22$row.Mi.log$%22&amp;earliest=0&amp;latest=</link>
</drilldown>

I'm not sure that it can run for the dot in the field names, but you can do the same thing using the GUI to be sure to avoid errors (e.g. forgetting "&amp;").

The only thing to consider is using $row.fieldname$ instead "$click.value2$", this is more useful for drilldown from a chart.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Jennifer
Path Finder
‎01-28-2022 01:28 AM

Hi, Giuseppe!

It still doesn't work well! 

When I click on the column of appl.log* and mi.log*, it will still to the same search as the search of column of progresshk.log* .

Basically, clicking on the whole row, it will come to the same result!

Jennifer_0-1643361951128.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2022 01:44 AM

Hi @Jennifer,

sorry, I misundrstood your need, the solution is the one suggested by @ITWhisperer did you tried it?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...