Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I display the collection of events (as a drill down) present inside a transaction by clicking on the row (transaction table) in the main dashboard.

pkol
Explorer
‎08-25-2019 06:16 PM

I want to display all the events present inside a transaction on the main dashboard by clicking on the transaction row in the table , but I am not able to return that specific transaction events and instead returning all the transactions related to that source.

So essentially, I need to see all the events present inside the clicked row (transactions) in the form of a drill down of events.
Can someone point me in the right direction please.
Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-25-2019 11:35 PM

Hi pkol,
could you share your search?
Anyway, I suggest to create two panels in a dashboard, in the main panel you insert your search.
Then you can pass as token/s the field/s you used to create your transaction to the secondary panel and display the events that are in the transaction.
To know how to pass a token from a panel to another in the same dashboard, see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).

Anyway, if you created your transaction using a field as transaction id, I suggest to explore a different approach because the transaction command is very slow!
e.g. if you have something like this

index=my_index
| transaction trans_id
| table _time trans_id field1 field2

you can change in

index=my_index
| stats earliest(_time) AS _time values(field1) AS field1 values(field2) AS field2 count BY trans_id

that is very faster than the other.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-25-2019 11:35 PM

Hi pkol,
could you share your search?
Anyway, I suggest to create two panels in a dashboard, in the main panel you insert your search.
Then you can pass as token/s the field/s you used to create your transaction to the secondary panel and display the events that are in the transaction.
To know how to pass a token from a panel to another in the same dashboard, see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).

Anyway, if you created your transaction using a field as transaction id, I suggest to explore a different approach because the transaction command is very slow!
e.g. if you have something like this

index=my_index
| transaction trans_id
| table _time trans_id field1 field2

you can change in

index=my_index
| stats earliest(_time) AS _time values(field1) AS field1 values(field2) AS field2 count BY trans_id

that is very faster than the other.

Bye.
Giuseppe

Reply
Solved! Jump to solution

pkol
Explorer
‎08-26-2019 04:43 PM

THANK YOU , I FIGURED IT OUT!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...