Dashboards & Visualizations

How do I specify a drill down search based on which row is clicked?

DEAD_BEEF
Builder

I have a table with 4 rows, each showing a single value result. This table is populated by loading four separate reports via the loadjob and appendpipe commands.

Is there a way that I can write a custom SPL query based on which row the user clicks on? I don't want to load the report. Instead, I'd like to use a specific search to run (so four different searches) depending on which row the user clicks on since the data that populates each report searches different indexes.

The row order is static since it loads specific reports and will always appear in this order. I am open to using CSS, HTML, JS, XML, whatever means is possible to implement this behavior if possible.

TABLE

Report      Count
Report 1    22
Report 2    0
Report 3    10,037
Report 4    719
0 Karma
1 Solution

DEAD_BEEF
Builder

Here was the final solution, partially contributed by @niketnilay ( condition match) and @p_gurav ( <link>)

<row>
    <panel>
        <title>New Window on Click</title>
        <table>
            <search>
                <query>| loadjob savedsearch="dead_beef:my_app:Report_1"
                    | eval report="Report 1"
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_2"
                    | eval report="Report 2"]
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_3"
                    | eval report="Report 3"]
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_4"
                    | eval report="Report 4"]
                    | rename report AS Report count AS Count
                    | table Report Count</query>
                <earliest>-1d@d</earliest>
                <latest>@d</latest>
                <sampleRatio>1</sampleRatio>
            </search>
            <drilldown>
                <condition match="$row.Report$==&quot;Report 1&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=a earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 2&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=b earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 3&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=c earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 4&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=d earliest=-1d@d latest=@d</link>
                </condition>
            </drilldown>
        </table>
    </panel>
</row>

View solution in original post

0 Karma

DEAD_BEEF
Builder

Here was the final solution, partially contributed by @niketnilay ( condition match) and @p_gurav ( <link>)

<row>
    <panel>
        <title>New Window on Click</title>
        <table>
            <search>
                <query>| loadjob savedsearch="dead_beef:my_app:Report_1"
                    | eval report="Report 1"
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_2"
                    | eval report="Report 2"]
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_3"
                    | eval report="Report 3"]
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_4"
                    | eval report="Report 4"]
                    | rename report AS Report count AS Count
                    | table Report Count</query>
                <earliest>-1d@d</earliest>
                <latest>@d</latest>
                <sampleRatio>1</sampleRatio>
            </search>
            <drilldown>
                <condition match="$row.Report$==&quot;Report 1&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=a earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 2&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=b earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 3&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=c earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 4&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=d earliest=-1d@d latest=@d</link>
                </condition>
            </drilldown>
        </table>
    </panel>
</row>
0 Karma

niketnilay
Legend

@DEAD_BEEF as far as the column name in your table is Report and its values are Report 1, Report 2 , Report 3 and Report 4, you can create following table drilldown to set the token for required query to run for each Report Row being clicked (Since you have only described that index name will be different I have cooked up a query to illustrate the example).

<drilldown>
  <condition match="$row.Report$==&quot;Report 1&quot;">
    <set token="tokQuery">index="<yourFirstIndexName>" .... <yourRemainingQuery></set>
  </condition>
  <condition match="$row.Report$==&quot;Report 2&quot;">
    <set token="tokQuery">index="<yourSecondIndexName>" .... <yourRemainingQuery></set>
  </condition>
  <condition match="$row.Report$==&quot;Report 3&quot;">
    <set token="tokQuery">index="<yourThirdIndexName>"  .... <yourRemainingQuery></set>
  </condition>
  <condition match="$row.Report$==&quot;Report 4&quot;">
    <set token="tokQuery">index="<yourFourthIndexName>"  .... <yourRemainingQuery></set>
  </condition>
</drilldown>

Following is a run anywhere example which runs tstats command on _internal index instead of loadjob in your case (to make this run anywhere). Also instead of running on different indexes, I have used same _internal index but 4 different sourcetype. While the Source table is built using tstats command and append. On drilldown it runs a query on specific index (and sourcetype in the example) to fetch required results. PS: I have also used | head 5 as common query in the drilldown table however, the same can also be set in the drilldown token itself. Difference would be that if there is a common section in the query it would need to be set inside 4 different drilldown <condition>s

<dashboard>
  <label>Table Drilldown based on row clicked</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats count as Count where index=_internal AND sourcetype=splunk_web_access earliest=-24h@h| eval Report="splunk_web_access"| table Report Count 
| append 
    [| tstats count as Count where index=_internal AND sourcetype=splunkd earliest=-24h@h| eval Report="splunkd"| table Report Count]
| append 
    [| tstats count as Count where index=_internal AND sourcetype=splunkd_ui_access earliest=-24h@h| eval Report="splunkd_ui_access"| table Report Count]
| append 
    [| tstats count as Count where index=_internal AND sourcetype=splunkd_access earliest=-24h@h| eval Report="splunkd_access"| table Report Count]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition match="$row.Report$==&quot;splunk_web_access&quot;">
            <set token="tokQuery">index="_internal" sourcetype="splunk_web_access"</set>
          </condition>
          <condition match="$row.Report$==&quot;splunkd&quot;">
            <set token="tokQuery">index="_internal" sourcetype="splunkd"</set>
          </condition>
          <condition match="$row.Report$==&quot;splunkd_ui_access&quot;">
            <set token="tokQuery">index="_internal" sourcetype="splunkd_ui_access"</set>
          </condition>
          <condition match="$row.Report$==&quot;splunkd_access&quot;">
            <set token="tokQuery">index="_internal" sourcetype="splunkd_access"</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Drilldown Table</title>
      <table>
        <title>tokQuery: $tokQuery$</title>
        <search>
          <query>$tokQuery$
| head 5
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DEAD_BEEF
Builder

Hi @niketnilay, I really appreciate the full example that you included! I added the drilldown syntax after the <option name=... but how do I make it "clickable" to run these searches when the user clicks that specific row? I see how when you match on the report name, you can specify the SPL query, but after i did that it is only setting the token. How do I get it to execute the search on click?

0 Karma

niketnilay
Legend

@DEAD_BEEF the token is then used in the drilldown table query

<query>$tokQuery$
 | head 5
</query>

The Run anywhere example should run as a new dashboard. Have you tried running the code to see how it works?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DEAD_BEEF
Builder

@niketnilay yes, I ran this and while it's nice to click and then run in another panel, I needed the click itself to open a new browser window with a custom search. Nonetheless, my final solution involved using your match condition with a link to make it work as intended. Thank you for the assistance.

0 Karma

p_gurav
Champion
0 Karma

DEAD_BEEF
Builder

This helped as I learned about the <link> option from here which ended up being part of my solution.

0 Karma

niketnilay
Legend

@DEAD_BEEF I have converted @p_gurav 's comment to answer. Please accept the same to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...