Dashboards & Visualizations

How to create a drilldown to display complete ERROR TRACE details on a dashboard when selecting a value from a table?

sunilbaba
New Member

Hi,

I have a table with URL and punct fields. I want to drilldown the URL cell and want to retrieve the complete ERROR TRACE Details for the selected URL. I don't want to show timechart (or) any graphs in the dashboard. I just want to see ERROR trace in the dashboard.

can someone help me out.

0 Karma
1 Solution

sundareshr
Legend

To your table, add this

<drilldown>

 <condition field="punct">
   <set token="punct">$click.value$</set>
   <unset token="uri"></unset>
 </condition>
 <condition field="uri">
   <set token="uri">$click.value2$</set>
   <unset token="punct"></unset>
 </condition>
</drilldown>

Below that, create two panels

  <row>
    <panel depends="$punct$">
      <event>
        <search>
          <query>index=xyz punct="$punct$" |...</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
  <row>
    <panel depends="$uri$">
      <event>
        <search>
          <query>index=xyz uri="$uri$" |...</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>

View solution in original post

0 Karma

sundareshr
Legend

To your table, add this

<drilldown>

 <condition field="punct">
   <set token="punct">$click.value$</set>
   <unset token="uri"></unset>
 </condition>
 <condition field="uri">
   <set token="uri">$click.value2$</set>
   <unset token="punct"></unset>
 </condition>
</drilldown>

Below that, create two panels

  <row>
    <panel depends="$punct$">
      <event>
        <search>
          <query>index=xyz punct="$punct$" |...</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
  <row>
    <panel depends="$uri$">
      <event>
        <search>
          <query>index=xyz uri="$uri$" |...</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
0 Karma

sunilbaba
New Member
<input type="dropdown" token="site" searchWhenChanged="true">
  <label>SITE</label>
  <choice value="y">y</choice>
  <choice value="z">z</choice>
  <default>y</default>
</input>
<input type="time" token="time" searchWhenChanged="true">
  <label>Time Range Selection</label>
  <default>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <title>4xx</title>
    <search>
      <query>index=$site$_* RespCode=4* | top uri,punct,RespCode</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="drilldown">cell</option>
    <option name="dataOverlayMode">highlow</option>
    <option name="count">10</option>
    <drilldown>
      <condition field="uri">
        <set token="uri">$click.value$</set>
        <unset token="punct"></unset>
      </condition>
    </drilldown>
    <drilldown>
      <condition field="punct">
        <set token="punct">$click.value2$</set>
        <unset token="uri"></unset>
      </condition>
    </drilldown>
   </table>   
  <chart depends="$uri$">
    <title>Uri</title>
    <search>
      <query>index=$site$_* RespCode=4* uri=$uri|s$ | timechart count</query>
      <earliest>-24h@m</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="charting.chart">line</option>
  </chart>
  <event depends="$punct$">
    <title>selected punct=$punct$</title>
    <search>
      <query>index=$site$_* punct=$punct|s$ </query>
      <earliest>-1m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="charting.chart">line</option>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart.bubbleMaximumSize">5</option>
    <option name="charting.chart.bubbleMinimumSize">1</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <fields>["host","source","sourcetype"]</fields>
  </event>
 </panel>

Can you help me with this code?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Modify and try this:

        <table>
              <title>Table panel with dynamic drilldown that passes the clicked cell's value to the search and reporting app </title>
              <searchString> YOUR SEARCH GOES HERE </searchString>
              <option name="count">10</option>
              <drilldown>
                <link>
                  <![CDATA[
                    app/search/search?q=search index=summary response_code=400 Uri=$click.value$
                  ]]>
                </link>
              </drilldown>
        </table>

Put your basic search in searchString and create a table with the URI. If you have an existing dashboard view that you want to drilldown to instead of the search app, you can modify the link element accordingly.

0 Karma

sunilbaba
New Member

Hi ssievert,

Thanks for the answer .Actually, my design pattern will look like this.

1                 2-  Uri                   3-   Punct 

Table with three columns once I click on the punct a drilldown chart will open which is actually hidden at the bottom of the table.I want to use the same hidden place for the ERROR trace of the uri too .could you help me out on this.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I recommend you download the dashboard examples app and take a look at the various drilldown examples in there. That should get you where you want to go.

The basic XML for doing a table drilldown on a cell looks like this:

<table>
      <title>Table with cell drilldown</title>
      <searchString>index=_internal | table sourcetype, source, host</searchString>
      <earliestTime>-60m@m</earliestTime>
      <latestTime>now</latestTime>
      <option name="drilldown">cell</option>
      <option name="count">3</option>
    </table>

You can do in-page drilldown, drilldown to a raw search, or link to a different dashboard view. Your choice.

0 Karma

sunilbaba
New Member

Hi ssievert,

Can you provide a sample code for raw search please

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I don't think I can without knowing what data source contains the events that make up your "ERROR TRACE" search....

0 Karma

sunilbaba
New Member

My search will be like this
Index=summary response_code=400 Uri=$uri$

For the token Uri I want raw data can you help me

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...