I have a serach query as below the bar chart working great as expected.
siteid=* location=*
| foreach powerdata{}.plug*{}.* [ eval eachplug<> = mvappend(eachplug<>, "<>=" . '<>') | fields - <> ]
| foreach eachplug* [ nomv <> | eval allplugs = mvappend(allplugs, "plug=<>, " . <>) | fields - <> ]
| mvexpand allplugs
| rename allplugs AS _raw
| kv
| timechart limit=0 max(current) AS max_current BY plugname
In addition, next step I would like to be able to click on individual plug name on the bar chart or from the legend label for the drill down details. As of now when I click it. It said no result found. Please I really need help and thank you in advance.
Hi,
Just want to follow up on my case. Did anyone have any idea on how to apply the drill down method on my case? I really need help. Thanks
If I used this method my drill down is working as expected
This is the drill down serach quey
| search sourcetype="powerdata", location="$location$", siteid="$siteid$" | timechart max("powerdata{}.$click.name2${}.current") as current by powerdata{}.$click.name2${}.plugname&display.general.type=visualizations
What I want is to make the drill down work with the plugname on the legend as the below search query
This is my search query
siteid= location=
| foreach powerdata{}.plug*{}. [ eval eachplug<> = mvappend(eachplug<>, "<>=" . '<>') | fields - <> ]
| foreach eachplug [ nomv <> | eval allplugs = mvappend(allplugs, "plug=<>, " . <>) | fields - <> ]
| mvexpand allplugs
| rename allplugs AS _raw
| kv
| timechart limit=0 max(current) AS max_current BY plugname
I need to used this method and how do I apply this method for the drill down?
@matoulas if you want chart drilldown to pick up legend value then you actually need to pick the values of the split-by field which is plugname as per your question. You can use $click.name2$
to access column name form the timechart.
<drilldown>
<set token="tokPlugName">$click.name2$</set>
</drilldown>
Following is a run anywhere example based on Splunk's _internal index which renames component
as plugname
to mimic the drilldown scenario you have requested.
In the screenshot when HttpListener is clicked in the main timechart, it shows the trending in subsequent timechart only for the clicked Legend. PS: depends
token has been used to keep the drilldown chart hidden until a legend in the main chart is clicked.
<dashboard>
<label>Timechart drilldown by splitby field</label>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| rename component as plugname
| timechart limit=0 useother=false count by plugname</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<drilldown>
<set token="tokPlugName">$click.name2$</set>
</drilldown>
</chart>
</panel>
</row>
<row depends="$tokPlugName$">
<panel>
<title>Trending for $tokPlugName$</title>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| rename component as plugname
| search plugname=$tokPlugName|s$
| timechart count</query>
</search>
<option name="charting.chart">line</option>
</chart>
</panel>
</row>
</dashboard>
Refer to Splunk Documentation to understand various drilldown tokens available for different visualizations: https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#chart_2
Hi,
Just want to follow up on my case. Do you have any idea on how to apply the drill down method on my case?
In my case for the drill down, how do I define the plugname to match the exact plug when click on the legend or bar chart. I try to used your method as of now when I click on the legend it's only know the plugname, but didn't know which plugname belong to the exact plug in JSON. See below link is my raw JSON that sent to Splunk. I really need help to make it work for my case of the drill down.
https://answers.splunk.com/answers/757905/how-to-rename-label-in-splunk-legend-that-not-effe.html
Hi,
Just want to follow up any idea on how to apply the drill down in my case. I really need help to get this to work.
Here is some good documentation on this.
https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/DrilldownLinkToSearch
Basically, you will need to add a tag to your xml, something like this
<drilldown target="_blank">
<link><![CDATA[
/app/search/search?q=search|makeresults|eval "click.name"="$click.name$", "click2.name"="$click2.name$", "click.value"="$click.value$", "click.value2"="$click.value2$"
]]></link>
</drilldown>
Based on the above search query in my case. How would I do it for the drill down? I've try but doesn't work the way it supposed. Can you please help?
See a link for JSON raw data that send to splunk
https://answers.splunk.com/answers/757905/how-to-rename-label-in-splunk-legend-that-not-effe.html
Hi, I'm still need your help to apply this drill down in my case. I still don't know how to do it.