Dashboards & Visualizations

How to create a drilldown to display complete ERROR TRACE details on a dashboard when selecting a value from a table?

New Member

Hi,

I have a table with URL and punct fields. I want to drilldown the URL cell and want to retrieve the complete ERROR TRACE Details for the selected URL. I don't want to show timechart (or) any graphs in the dashboard. I just want to see ERROR trace in the dashboard.

can someone help me out.

0 Karma
1 Solution

Legend

To your table, add this

<drilldown>

 <condition field="punct">
   <set token="punct">$click.value$</set>
   <unset token="uri"></unset>
 </condition>
 <condition field="uri">
   <set token="uri">$click.value2$</set>
   <unset token="punct"></unset>
 </condition>
</drilldown>

Below that, create two panels

  <row>
    <panel depends="$punct$">
      <event>
        <search>
          <query>index=xyz punct="$punct$" |...</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
  <row>
    <panel depends="$uri$">
      <event>
        <search>
          <query>index=xyz uri="$uri$" |...</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>

View solution in original post

0 Karma

Legend

To your table, add this

<drilldown>

 <condition field="punct">
   <set token="punct">$click.value$</set>
   <unset token="uri"></unset>
 </condition>
 <condition field="uri">
   <set token="uri">$click.value2$</set>
   <unset token="punct"></unset>
 </condition>
</drilldown>

Below that, create two panels

  <row>
    <panel depends="$punct$">
      <event>
        <search>
          <query>index=xyz punct="$punct$" |...</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
  <row>
    <panel depends="$uri$">
      <event>
        <search>
          <query>index=xyz uri="$uri$" |...</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>

View solution in original post

0 Karma

New Member
<input type="dropdown" token="site" searchWhenChanged="true">
  <label>SITE</label>
  <choice value="y">y</choice>
  <choice value="z">z</choice>
  <default>y</default>
</input>
<input type="time" token="time" searchWhenChanged="true">
  <label>Time Range Selection</label>
  <default>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <title>4xx</title>
    <search>
      <query>index=$site$_* RespCode=4* | top uri,punct,RespCode</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="drilldown">cell</option>
    <option name="dataOverlayMode">highlow</option>
    <option name="count">10</option>
    <drilldown>
      <condition field="uri">
        <set token="uri">$click.value$</set>
        <unset token="punct"></unset>
      </condition>
    </drilldown>
    <drilldown>
      <condition field="punct">
        <set token="punct">$click.value2$</set>
        <unset token="uri"></unset>
      </condition>
    </drilldown>
   </table>   
  <chart depends="$uri$">
    <title>Uri</title>
    <search>
      <query>index=$site$_* RespCode=4* uri=$uri|s$ | timechart count</query>
      <earliest>-24h@m</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="charting.chart">line</option>
  </chart>
  <event depends="$punct$">
    <title>selected punct=$punct$</title>
    <search>
      <query>index=$site$_* punct=$punct|s$ </query>
      <earliest>-1m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="charting.chart">line</option>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart.bubbleMaximumSize">5</option>
    <option name="charting.chart.bubbleMinimumSize">1</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <fields>["host","source","sourcetype"]</fields>
  </event>
 </panel>

Can you help me with this code?

0 Karma

Splunk Employee
Splunk Employee

Modify and try this:

        <table>
              <title>Table panel with dynamic drilldown that passes the clicked cell's value to the search and reporting app </title>
              <searchString> YOUR SEARCH GOES HERE </searchString>
              <option name="count">10</option>
              <drilldown>
                <link>
                  <![CDATA[
                    app/search/search?q=search index=summary response_code=400 Uri=$click.value$
                  ]]>
                </link>
              </drilldown>
        </table>

Put your basic search in searchString and create a table with the URI. If you have an existing dashboard view that you want to drilldown to instead of the search app, you can modify the link element accordingly.

0 Karma

New Member

Hi ssievert,

Thanks for the answer .Actually, my design pattern will look like this.

1                 2-  Uri                   3-   Punct 

Table with three columns once I click on the punct a drilldown chart will open which is actually hidden at the bottom of the table.I want to use the same hidden place for the ERROR trace of the uri too .could you help me out on this.

0 Karma

Splunk Employee
Splunk Employee

I recommend you download the dashboard examples app and take a look at the various drilldown examples in there. That should get you where you want to go.

The basic XML for doing a table drilldown on a cell looks like this:

<table>
      <title>Table with cell drilldown</title>
      <searchString>index=_internal | table sourcetype, source, host</searchString>
      <earliestTime>-60m@m</earliestTime>
      <latestTime>now</latestTime>
      <option name="drilldown">cell</option>
      <option name="count">3</option>
    </table>

You can do in-page drilldown, drilldown to a raw search, or link to a different dashboard view. Your choice.

0 Karma

New Member

Hi ssievert,

Can you provide a sample code for raw search please

0 Karma

Splunk Employee
Splunk Employee

I don't think I can without knowing what data source contains the events that make up your "ERROR TRACE" search....

0 Karma

New Member

My search will be like this
Index=summary response_code=400 Uri=$uri$

For the token Uri I want raw data can you help me

0 Karma