Dashboards & Visualizations

How to create a drill down from one panel to another in the same dashboard?

abhi04
Communicator

I have a dashboard which have panel 1 which displays job start time, end time and time duration of the job run. Now I want to create another panel i.e. panel 2 in the same dashboard where clicking on the job in panel 1 will display that job start time, end time and time duration of the job run for last 7 days. Please help on the same.

0 Karma
1 Solution

niketn
Legend

@abhi04 , if you are on Splunk 6.6 or higher you can use Interactive Drilldown Option from Splunk UI by editing the chart and set the token for selected Job Name using predefined token $row.<yourJobNameField>$. This token will pick the job name from the Row that you click on (irrespective of the column). Following is the Splunk Docs reference for default Table Drilldown tokens. For previous versions the same can be done only through Simple XML.

You can get Splunk Dashboard Examples app to get several examples of Drilldown capabilities within Splunk, including your use case.

Following is a run anywhere dashboard based on Splunk's _internal index to try out the drilldown from One Panel to Another where component name from Panel 1 is passed on to Panel 2 on Drilldown and displays the trending of INFO ERROR and WARN events over last 7 days in a timechart.

In the example following pieces have been added for enabling drilldown for selected component.

        <option name="drilldown">cell</option>

        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>

Then the search query in Panel 2 uses token $tokComponent$

          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
  | timechart count by log_level</query>

PS: depends attribute has been added to second row with Drilldown panel which hides the Panel until $tokComponent$ is set.

  <row depends="$tokComponent$">

Please try out and confirm!

<form>
  <label>Drilldown from one dashboard to another</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Panel 1 - Pick Component to see trending</title>
      <input type="time" token="tokTime1" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| dedup log_level component
| stats count as eventcount min(_time) as earliestTime max(_time) as latestTime dc(log_level) as distinctCount values(log_level) as log_level by component
| search log_level="INFO" AND distinctCount>1
| eval duration=latestTime-earliestTime
| fieldformat earliestTime=strftime(earliestTime,"%Y-%m-%d %H:%M:%S %p")
| fieldformat latestTime=strftime(latestTime,"%Y-%m-%d %H:%M:%S %p")</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$tokComponent$">
    <panel>
      <title>Panel 2 - $tokComponent$ Component Info and Warn Trending</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
| timechart count by log_level</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.mode">seriesCompare</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

PS: This example uses charting.legend.mode as seriesCompare. This Chart Configuration option for legends which is available in version 6.6 or higher.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@abhi04 , if you are on Splunk 6.6 or higher you can use Interactive Drilldown Option from Splunk UI by editing the chart and set the token for selected Job Name using predefined token $row.<yourJobNameField>$. This token will pick the job name from the Row that you click on (irrespective of the column). Following is the Splunk Docs reference for default Table Drilldown tokens. For previous versions the same can be done only through Simple XML.

You can get Splunk Dashboard Examples app to get several examples of Drilldown capabilities within Splunk, including your use case.

Following is a run anywhere dashboard based on Splunk's _internal index to try out the drilldown from One Panel to Another where component name from Panel 1 is passed on to Panel 2 on Drilldown and displays the trending of INFO ERROR and WARN events over last 7 days in a timechart.

In the example following pieces have been added for enabling drilldown for selected component.

        <option name="drilldown">cell</option>

        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>

Then the search query in Panel 2 uses token $tokComponent$

          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
  | timechart count by log_level</query>

PS: depends attribute has been added to second row with Drilldown panel which hides the Panel until $tokComponent$ is set.

  <row depends="$tokComponent$">

Please try out and confirm!

<form>
  <label>Drilldown from one dashboard to another</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Panel 1 - Pick Component to see trending</title>
      <input type="time" token="tokTime1" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| dedup log_level component
| stats count as eventcount min(_time) as earliestTime max(_time) as latestTime dc(log_level) as distinctCount values(log_level) as log_level by component
| search log_level="INFO" AND distinctCount>1
| eval duration=latestTime-earliestTime
| fieldformat earliestTime=strftime(earliestTime,"%Y-%m-%d %H:%M:%S %p")
| fieldformat latestTime=strftime(latestTime,"%Y-%m-%d %H:%M:%S %p")</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="tokComponent">$row.component$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$tokComponent$">
    <panel>
      <title>Panel 2 - $tokComponent$ Component Info and Warn Trending</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=* component="$tokComponent$"
| timechart count by log_level</query>
          <earliest>$tokTime1.earliest$</earliest>
          <latest>$tokTime1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.mode">seriesCompare</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

PS: This example uses charting.legend.mode as seriesCompare. This Chart Configuration option for legends which is available in version 6.6 or higher.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

abhi04
Communicator

Hi Niketnilay,

The jobname is being extracted using regex.below is the source for the dashboard which is not working.

DFS IW Batch Job Monitor Dashboard
DFS IW Batch Job Monitor

<input type="time" token="field1">
  <label></label>
  <default>
    <earliest>-24h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <title>IW Batch Job Duration</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" "started - time=" | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | eval StartTime=strftime(_time,"%Y/%m/%d %H:%M:%S") | append [| search index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" ("ended - time=" OR "ENDED - time") | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | eval EndTime=strftime(_time,"%Y/%m/%d %H:%M:%S")] | transaction Job_Name  |dedup Job_Name | table Job_Name StartTime EndTime duration  |eval Duration_Min= round((duration/60),2) | rename duration AS Duration_Sec</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown>
       <set token="tokComponent">$row.Job_Name$</set>
     </drilldown>
  </table>
</panel>


<panel>
  <event>
    <title>Errors</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh"  "error" OR "abort"</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
  </event>
</panel>


<panel>
  <table>
    <title>Last 7 Days</title>
    <search>
      <query>index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" "started - time=" | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" |Job_Name="$tokComponent$"| eval StartTime=strftime(_time,"%Y/%m/%d %H:%M:%S") | append [| search index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "Job gc01* -" ("ended - time=" OR "ENDED - time") | dedup _raw |rex "\w+\/\w+\/\w+\/(?&lt;Job_Name&gt;\w+)\.ksh" | Job_Name="$tokComponent$"|eval EndTime=strftime(_time,"%Y/%m/%d %H:%M:%S")] | transaction Job_Name  |dedup Job_Name | table Job_Name StartTime EndTime duration  |eval Duration_Min= round((duration/60),2) | rename duration AS Duration_Sec</query> <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
  </table>
</panel>
0 Karma

niketn
Legend

You should try out the two things after the rex command, you are missing search keyword for searching Job_Names extracted using rex.

 ...
| rex .....
|search Job_Name="$tokComponent$"
 ....

Also in the Title for the final panel with table add the token to verify correct Job Name has been picked from Drilldown (I would also prefer if you named tokComponent as tokJobName instead as it will be more logical.

<title>Details for Job $tokComponent$ for Last 7 Days</title>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

abhi04
Communicator

Thanks Niketnilay,

The panel shows up with info but the title wont show when using

0 Karma

niketn
Legend

Strangely it should work. Have you changed the token name and are using correct one? Which version of Splunk are you on? Can you share simple XML code and what is not working.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

abhi04
Communicator

Hi niketnilay,

It's working now.
Thanks.

0 Karma

niketn
Legend

@abhi04 glad it worked! Do up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...