I've got a dashboard that's parsing logs to show the latest status of a rundeck job completion for multiple executions. As part of that query I've identified a field for the rundeck_job_id that's the ID of each of these jobs.
It looks like I can use Drilldown to link to a custom URL, which I would like to be https://rundeck.server/project/Project_Name/execution/show/$rundeck_job_id$ Ideally this would let users find their running/failed/etc job in the table, then click to go to that URL the corresponds to their execution.
Problem is, I can't seem to get the drilldown to evaluate tokens, or I'm not setting those up correctly. I've tried $row.rundeck_job_id$ and I've tried setting this token in various places in the dashboard, but that doesn't seem to work. It seems to be evaluating $rundeck_job_id$ or $row.rundeck_job_id$ literally and going to a broken page.
The problem is that you don't have the rundeck_job_id field in your results so you cannot use it in any drilldown.
<query>
index=* sourcetype=rundeck* source=*execution* "Deploy Full"
| eval latest_update=strftime(_time, "%d %b %H:%M")
|rex field=_raw "\[(?<rundeck_job_id>\d{8,})"
|table environment,deploy_job_status,latest_update,json
| dedup environment sortby -latest_update
</query>
Your table statement means that field is no longer there.
The way you have to do this if you don't want to show the id in the table is to INCLUDE the field in the table statement
|table environment,deploy_job_status,latest_update,json rundeck_job_id
but then use the fields statement in the XML to only render those fields you want, like this.
<fields>"environment","deploy_job_status","latest_update","json"</fields>
then your drilldown will work as epected.
<drilldown>
<eval token=$row.rundeck_job_id$>
<link target="_blank">https://rundeck.server/project/Project_Name/execution/show/$token$</link>
</drilldown>
Have you tried something like this?
It seems to think that's an invalid call without quotes. Even when I close the <eval> </eval> and do it more like https://docs.splunk.com/Documentation/Splunk/8.1.2/Viz/PanelreferenceforSimplifiedXML#eval.2C_link.2... it still only seems to take the token literally. I tried setting the eval token both in the drilldown and in the search blocks just in case.
Please post your XML showing the drilldown setup, but here's an example of a dashboard that works, which should help you.
<dashboard>
<label>Jobs</label>
<row>
<panel>
<table>
<search>
<query>| makeresults
| eval rundeck_job_id=split("job_id_1,job_id_2",",")
| mvexpand rundeck_job_id
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<drilldown>
<link target="_blank">https://rundeck.server/project/Project_Name/execution/show/$row.rundeck_job_id$</link>
</drilldown>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</dashboard>
This is basically what our dashboard XML looks like. I'm starting to wonder if the problem is related to the rundeck_job_id field being a rex _raw field in the query? We recently had to change the search since logging changed; rundeck_job_id was not previously being pulled out with a rex but was a pre-existing field.
<dashboard theme="light">
<label>Deploy Job Status</label>
<description>Status of Deploy Full Environment (JSON) jobs in Rundeck</description>
<row>
<panel>
<title>Last 24 Hours</title>
<table>
<title>Click on cell to go to job in rundeck</title>
<search>
<query>index=* sourcetype=rundeck* source=*execution* "Deploy Full"| eval latest_update=strftime(_time, "%d %b %H:%M") |rex field=_raw "\[(?<rundeck_job_id>\d{8,})" |table environment,deploy_job_status,latest_update,json | dedup environment sortby -latest_update</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="deploy_job_status">
<colorPalette type="map">{"failed":#DC4E41,"running":#F8BE34,"succeeded":#4FA484}</colorPalette>
</format>
<format type="color" field="deploy_job_status">
<colorPalette type="map">{"failed":#DC4E41,"running":#F8BE34,"succeeded":#4FA484}</colorPalette>
</format>
<format type="color" field="deploy_job_status">
<colorPalette type="map">{"failed":#DC4E41,"running":#F8BE34,"succeeded":#4FA484}</colorPalette>
</format>
<format type="color" field="deploy_job_status">
<colorPalette type="map">{"failed":#DC4E41,"running":#F8BE34,"succeeded":#4FA484}</colorPalette>
</format>
<drilldown>
<link target="_blank">https://rundeck.server/project/Project_Name/execution/show/$row.rundeck_job_id$</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
It would also seem like you have an error in your dedup statement - you seem to be deduping on 3 fields - is there a missing | before the sort - which should not be 'sortby'
The problem is that you don't have the rundeck_job_id field in your results so you cannot use it in any drilldown.
<query>
index=* sourcetype=rundeck* source=*execution* "Deploy Full"
| eval latest_update=strftime(_time, "%d %b %H:%M")
|rex field=_raw "\[(?<rundeck_job_id>\d{8,})"
|table environment,deploy_job_status,latest_update,json
| dedup environment sortby -latest_update
</query>
Your table statement means that field is no longer there.
The way you have to do this if you don't want to show the id in the table is to INCLUDE the field in the table statement
|table environment,deploy_job_status,latest_update,json rundeck_job_id
but then use the fields statement in the XML to only render those fields you want, like this.
<fields>"environment","deploy_job_status","latest_update","json"</fields>
then your drilldown will work as epected.
I see, you're totally right and that worked as soon as I made that field a table column. Thank you!