Dashboards & Visualizations
Highlighted

How do I specify a drill down search based on which row is clicked?

Builder

I have a table with 4 rows, each showing a single value result. This table is populated by loading four separate reports via the loadjob and appendpipe commands.

Is there a way that I can write a custom SPL query based on which row the user clicks on? I don't want to load the report. Instead, I'd like to use a specific search to run (so four different searches) depending on which row the user clicks on since the data that populates each report searches different indexes.

The row order is static since it loads specific reports and will always appear in this order. I am open to using CSS, HTML, JS, XML, whatever means is possible to implement this behavior if possible.

TABLE

Report      Count
Report 1    22
Report 2    0
Report 3    10,037
Report 4    719
0 Karma
Highlighted

Re: How do I specify a drill down search based on which row is clicked?

Champion
0 Karma
Highlighted

Re: How do I specify a drill down search based on which row is clicked?

Builder

This helped as I learned about the <link> option from here which ended up being part of my solution.

0 Karma
Highlighted

Re: How do I specify a drill down search based on which row is clicked?

Legend

@DEADBEEF I have converted @pgurav 's comment to answer. Please accept the same to mark this question as answered!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How do I specify a drill down search based on which row is clicked?

Legend

@DEAD_BEEF as far as the column name in your table is Report and its values are Report 1, Report 2 , Report 3 and Report 4, you can create following table drilldown to set the token for required query to run for each Report Row being clicked (Since you have only described that index name will be different I have cooked up a query to illustrate the example).

<drilldown>
  <condition match="$row.Report$==&quot;Report 1&quot;">
    <set token="tokQuery">index="<yourFirstIndexName>" .... <yourRemainingQuery></set>
  </condition>
  <condition match="$row.Report$==&quot;Report 2&quot;">
    <set token="tokQuery">index="<yourSecondIndexName>" .... <yourRemainingQuery></set>
  </condition>
  <condition match="$row.Report$==&quot;Report 3&quot;">
    <set token="tokQuery">index="<yourThirdIndexName>"  .... <yourRemainingQuery></set>
  </condition>
  <condition match="$row.Report$==&quot;Report 4&quot;">
    <set token="tokQuery">index="<yourFourthIndexName>"  .... <yourRemainingQuery></set>
  </condition>
</drilldown>

Following is a run anywhere example which runs tstats command on _internal index instead of loadjob in your case (to make this run anywhere). Also instead of running on different indexes, I have used same _internal index but 4 different sourcetype. While the Source table is built using tstats command and append. On drilldown it runs a query on specific index (and sourcetype in the example) to fetch required results. PS: I have also used | head 5 as common query in the drilldown table however, the same can also be set in the drilldown token itself. Difference would be that if there is a common section in the query it would need to be set inside 4 different drilldown <condition>s

<dashboard>
  <label>Table Drilldown based on row clicked</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats count as Count where index=_internal AND sourcetype=splunk_web_access earliest=-24h@h| eval Report="splunk_web_access"| table Report Count 
| append 
    [| tstats count as Count where index=_internal AND sourcetype=splunkd earliest=-24h@h| eval Report="splunkd"| table Report Count]
| append 
    [| tstats count as Count where index=_internal AND sourcetype=splunkd_ui_access earliest=-24h@h| eval Report="splunkd_ui_access"| table Report Count]
| append 
    [| tstats count as Count where index=_internal AND sourcetype=splunkd_access earliest=-24h@h| eval Report="splunkd_access"| table Report Count]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition match="$row.Report$==&quot;splunk_web_access&quot;">
            <set token="tokQuery">index="_internal" sourcetype="splunk_web_access"</set>
          </condition>
          <condition match="$row.Report$==&quot;splunkd&quot;">
            <set token="tokQuery">index="_internal" sourcetype="splunkd"</set>
          </condition>
          <condition match="$row.Report$==&quot;splunkd_ui_access&quot;">
            <set token="tokQuery">index="_internal" sourcetype="splunkd_ui_access"</set>
          </condition>
          <condition match="$row.Report$==&quot;splunkd_access&quot;">
            <set token="tokQuery">index="_internal" sourcetype="splunkd_access"</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Drilldown Table</title>
      <table>
        <title>tokQuery: $tokQuery$</title>
        <search>
          <query>$tokQuery$
| head 5
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

Please try out and confirm!




| eval message="Happy Splunking!!!"


Highlighted

Re: How do I specify a drill down search based on which row is clicked?

Builder

Hi @niketnilay, I really appreciate the full example that you included! I added the drilldown syntax after the <option name=... but how do I make it "clickable" to run these searches when the user clicks that specific row? I see how when you match on the report name, you can specify the SPL query, but after i did that it is only setting the token. How do I get it to execute the search on click?

0 Karma
Highlighted

Re: How do I specify a drill down search based on which row is clicked?

Legend

@DEAD_BEEF the token is then used in the drilldown table query

<query>$tokQuery$
 | head 5
</query>

The Run anywhere example should run as a new dashboard. Have you tried running the code to see how it works?




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How do I specify a drill down search based on which row is clicked?

Builder

@niketnilay yes, I ran this and while it's nice to click and then run in another panel, I needed the click itself to open a new browser window with a custom search. Nonetheless, my final solution involved using your match condition with a link to make it work as intended. Thank you for the assistance.

0 Karma
Highlighted

Re: How do I specify a drill down search based on which row is clicked?

Builder

Here was the final solution, partially contributed by @niketnilay ( condition match) and @p_gurav ( <link>)

<row>
    <panel>
        <title>New Window on Click</title>
        <table>
            <search>
                <query>| loadjob savedsearch="dead_beef:my_app:Report_1"
                    | eval report="Report 1"
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_2"
                    | eval report="Report 2"]
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_3"
                    | eval report="Report 3"]
                    | appendpipe
                    [| loadjob savedsearch="dead_beef:my_app:Report_4"
                    | eval report="Report 4"]
                    | rename report AS Report count AS Count
                    | table Report Count</query>
                <earliest>-1d@d</earliest>
                <latest>@d</latest>
                <sampleRatio>1</sampleRatio>
            </search>
            <drilldown>
                <condition match="$row.Report$==&quot;Report 1&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=a earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 2&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=b earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 3&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=c earliest=-1d@d latest=@d</link>
                </condition>
                <condition match="$row.Report$==&quot;Report 4&quot;">
                    <link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=d earliest=-1d@d latest=@d</link>
                </condition>
            </drilldown>
        </table>
    </panel>
</row>

View solution in original post

0 Karma