Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a drill down from one panel to another in the same dashboard?

abhi04
Communicator
‎05-31-2018 01:41 AM

I have a dashboard which have panel 1 which displays job start time, end time and time duration of the job run. Now I want to create another panel i.e. panel 2 in the same dashboard where clicking on the job in panel 1 will display that job start time, end time and time duration of the job run for last 7 days. Please help on the same.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-31-2018 03:49 AM

@abhi04 , if you are on Splunk 6.6 or higher you can use Interactive Drilldown Option from Splunk UI by editing the chart and set the token for selected Job Name using predefined token $row.<yourJobNameField>$. This token will pick the job name from the Row that you click on (irrespective of the column). Following is the Splunk Docs reference for default Table Drilldown tokens. For previous versions the same can be done only through Simple XML.

You can get Splunk Dashboard Examples app to get several examples of Drilldown capabilities within Splunk, including your use case.

Following is a run anywhere dashboard based on Splunk's _internal index to try out the drilldown from One Panel to Another where component name from Panel 1 is passed on to Panel 2 on Drilldown and displays the trending of INFO ERROR and WARN events over last 7 days in a timechart.

In the example following pieces have been added for enabling drilldown for selected component.

        <option name="drilldown">cell</option>

        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>

Then the search query in Panel 2 uses token $tokComponent$

          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
  | timechart count by log_level</query>

PS: depends attribute has been added to second row with Drilldown panel which hides the Panel until $tokComponent$ is set.

  <row depends="$tokComponent$">

Please try out and confirm!

<form>
  <label>Drilldown from one dashboard to another</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Panel 1 - Pick Component to see trending</title>
      <input type="time" token="tokTime1" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| dedup log_level component
| stats count as eventcount min(_time) as earliestTime max(_time) as latestTime dc(log_level) as distinctCount values(log_level) as log_level by component
| search log_level="INFO" AND distinctCount>1
| eval duration=latestTime-earliestTime
| fieldformat earliestTime=strftime(earliestTime,"%Y-%m-%d %H:%M:%S %p")
| fieldformat latestTime=strftime(latestTime,"%Y-%m-%d %H:%M:%S %p")</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$tokComponent$">
    <panel>
      <title>Panel 2 - $tokComponent$ Component Info and Warn Trending</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
| timechart count by log_level</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.mode">seriesCompare</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

PS: This example uses charting.legend.mode as seriesCompare. This Chart Configuration option for legends which is available in version 6.6 or higher.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-31-2018 03:49 AM

@abhi04 , if you are on Splunk 6.6 or higher you can use Interactive Drilldown Option from Splunk UI by editing the chart and set the token for selected Job Name using predefined token $row.<yourJobNameField>$. This token will pick the job name from the Row that you click on (irrespective of the column). Following is the Splunk Docs reference for default Table Drilldown tokens. For previous versions the same can be done only through Simple XML.

You can get Splunk Dashboard Examples app to get several examples of Drilldown capabilities within Splunk, including your use case.

Following is a run anywhere dashboard based on Splunk's _internal index to try out the drilldown from One Panel to Another where component name from Panel 1 is passed on to Panel 2 on Drilldown and displays the trending of INFO ERROR and WARN events over last 7 days in a timechart.

In the example following pieces have been added for enabling drilldown for selected component.

        <option name="drilldown">cell</option>

        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>

Then the search query in Panel 2 uses token $tokComponent$

          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
  | timechart count by log_level</query>

PS: depends attribute has been added to second row with Drilldown panel which hides the Panel until $tokComponent$ is set.

  <row depends="$tokComponent$">

Please try out and confirm!

<form>
  <label>Drilldown from one dashboard to another</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Panel 1 - Pick Component to see trending</title>
      <input type="time" token="tokTime1" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| dedup log_level component
| stats count as eventcount min(_time) as earliestTime max(_time) as latestTime dc(log_level) as distinctCount values(log_level) as log_level by component
| search log_level="INFO" AND distinctCount>1
| eval duration=latestTime-earliestTime
| fieldformat earliestTime=strftime(earliestTime,"%Y-%m-%d %H:%M:%S %p")
| fieldformat latestTime=strftime(latestTime,"%Y-%m-%d %H:%M:%S %p")</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$tokComponent$">
    <panel>
      <title>Panel 2 - $tokComponent$ Component Info and Warn Trending</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
| timechart count by log_level</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.mode">seriesCompare</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

PS: This example uses charting.legend.mode as seriesCompare. This Chart Configuration option for legends which is available in version 6.6 or higher.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

abhi04
Communicator
‎05-31-2018 04:25 AM

Hi Niketnilay,

The jobname is being extracted using regex.below is the source for the dashboard which is not working.

DFS IW Batch Job Monitor Dashboard
DFS IW Batch Job Monitor

<input type="time" token="field1">
  <label></label>
  <default>
    <earliest>-24h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <title>IW Batch Job Duration</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" "started - time=" | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | eval StartTime=strftime(_time,"%Y/%m/%d %H:%M:%S") | append [| search index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" ("ended - time=" OR "ENDED - time") | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | eval EndTime=strftime(_time,"%Y/%m/%d %H:%M:%S")] | transaction Job_Name  |dedup Job_Name | table Job_Name StartTime EndTime duration  |eval Duration_Min= round((duration/60),2) | rename duration AS Duration_Sec</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown>
       <set token="tokComponent">$row.Job_Name$</set>
     </drilldown>
  </table>
</panel>


<panel>
  <event>
    <title>Errors</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh"  "error" OR "abort"</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
  </event>
</panel>


<panel>
  <table>
    <title>Last 7 Days</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" "started - time=" | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" |Job_Name="$tokComponent$"| eval StartTime=strftime(_time,"%Y/%m/%d %H:%M:%S") | append [| search index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" ("ended - time=" OR "ENDED - time") | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | Job_Name="$tokComponent$"|eval EndTime=strftime(_time,"%Y/%m/%d %H:%M:%S")] | transaction Job_Name  |dedup Job_Name | table Job_Name StartTime EndTime duration  |eval Duration_Min= round((duration/60),2) | rename duration AS Duration_Sec</query> <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
  </table>
</panel>
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-31-2018 05:39 AM

You should try out the two things after the rex command, you are missing search keyword for searching Job_Names extracted using rex.

 ...
| rex .....
|search Job_Name="$tokComponent$"
 ....

Also in the Title for the final panel with table add the token to verify correct Job Name has been picked from Drilldown (I would also prefer if you named tokComponent as tokJobName instead as it will be more logical.

<title>Details for Job $tokComponent$ for Last 7 Days</title>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

abhi04
Communicator
‎05-31-2018 06:07 AM

Thanks Niketnilay,

The panel shows up with info but the title wont show when using

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-31-2018 07:18 AM

Strangely it should work. Have you changed the token name and are using correct one? Which version of Splunk are you on? Can you share simple XML code and what is not working.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

abhi04
Communicator
‎05-31-2018 08:08 AM

Hi niketnilay,

It's working now.
Thanks.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-31-2018 08:54 AM

@abhi04 glad it worked! Do up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...