Dashboards & Visualizations

How do I make a Drill Down Details when click from bar chart or legend to see each details?

matoulas
Path Finder

I have a serach query as below the bar chart working great as expected.

siteid=* location=*
| foreach powerdata{}.plug*{}.* [ eval eachplug<> = mvappend(eachplug<>, "<>=" . '<>') | fields - <> ]
| foreach eachplug* [ nomv <> | eval allplugs = mvappend(allplugs, "plug=<>, " . <>) | fields - <> ]
| mvexpand allplugs
| rename allplugs AS _raw
| kv
| timechart limit=0 max(current) AS max_current BY plugname

alt text

In addition, next step I would like to be able to click on individual plug name on the bar chart or from the legend label for the drill down details. As of now when I click it. It said no result found. Please I really need help and thank you in advance.

Tags (1)
0 Karma

matoulas
Path Finder

Hi,

Just want to follow up on my case. Did anyone have any idea on how to apply the drill down method on my case? I really need help. Thanks

0 Karma

matoulas
Path Finder

If I used this method my drill down is working as expected

This is the drill down serach quey

| search sourcetype="powerdata", location="$location$", siteid="$siteid$" | timechart max("powerdata{}.$click.name2${}.current") as current by powerdata{}.$click.name2${}.plugname&display.general.type=visualizations

alt text

What I want is to make the drill down work with the plugname on the legend as the below search query

This is my search query

siteid= location=
| foreach powerdata{}.plug*{}. [ eval eachplug<> = mvappend(eachplug<>, "<>=" . '<>') | fields - <> ]
| foreach eachplug [ nomv <> | eval allplugs = mvappend(allplugs, "plug=<>, " . <>) | fields - <> ]
| mvexpand allplugs
| rename allplugs AS _raw
| kv
| timechart limit=0 max(current) AS max_current BY plugname

I need to used this method and how do I apply this method for the drill down?

alt text

0 Karma

niketn
Legend

@matoulas if you want chart drilldown to pick up legend value then you actually need to pick the values of the split-by field which is plugname as per your question. You can use $click.name2$ to access column name form the timechart.

    <drilldown>
      <set token="tokPlugName">$click.name2$</set>
    </drilldown>

Following is a run anywhere example based on Splunk's _internal index which renames component as plugname to mimic the drilldown scenario you have requested.

alt text
In the screenshot when HttpListener is clicked in the main timechart, it shows the trending in subsequent timechart only for the clicked Legend. PS: depends token has been used to keep the drilldown chart hidden until a legend in the main chart is clicked.

<dashboard>
  <label>Timechart drilldown by splitby field</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO 
| rename component as plugname 
| timechart limit=0 useother=false count by plugname</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <set token="tokPlugName">$click.name2$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row depends="$tokPlugName$">
    <panel>
      <title>Trending for $tokPlugName$</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO 
| rename component as plugname 
| search plugname=$tokPlugName|s$
| timechart count</query>
        </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Refer to Splunk Documentation to understand various drilldown tokens available for different visualizations: https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#chart_2

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

matoulas
Path Finder

Hi,

Just want to follow up on my case. Do you have any idea on how to apply the drill down method on my case?

0 Karma

matoulas
Path Finder

In my case for the drill down, how do I define the plugname to match the exact plug when click on the legend or bar chart. I try to used your method as of now when I click on the legend it's only know the plugname, but didn't know which plugname belong to the exact plug in JSON. See below link is my raw JSON that sent to Splunk. I really need help to make it work for my case of the drill down.

https://answers.splunk.com/answers/757905/how-to-rename-label-in-splunk-legend-that-not-effe.html

0 Karma

matoulas
Path Finder

Hi,

Just want to follow up any idea on how to apply the drill down in my case. I really need help to get this to work.

0 Karma

woodcock
Esteemed Legend

Here is some good documentation on this.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/DrilldownLinkToSearch

Basically, you will need to add a tag to your xml, something like this

<drilldown target="_blank">
   <link><![CDATA[
      /app/search/search?q=search|makeresults|eval "click.name"="$click.name$", "click2.name"="$click2.name$", "click.value"="$click.value$", "click.value2"="$click.value2$"
   ]]></link>
</drilldown>
0 Karma

matoulas
Path Finder

Based on the above search query in my case. How would I do it for the drill down? I've try but doesn't work the way it supposed. Can you please help?

See a link for JSON raw data that send to splunk

https://answers.splunk.com/answers/757905/how-to-rename-label-in-splunk-legend-that-not-effe.html

0 Karma

matoulas
Path Finder

Hi, I'm still need your help to apply this drill down in my case. I still don't know how to do it.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...