Dashboards & Visualizations

How to create contextual drilldown from table to timechart with different searches?

giovere
Path Finder

I'm trying to make a dashboard, so far I have a table which derived from multisearch, because set of fields is different:

| multisearch [search index=x host=y | eval name="A"]
[search index=x host=y | eval name="B"]
[search index=z host=u | eval name="C"]
[search index=w host=l | eval name="D"]
[search index=f host=p | eval name="E"] | stats count by name

Ideally I'd like to have contextual drilldown which would generate a timechart depending on the selected row.
For example if Name D is selected following timechart should be displayed:

search index=w host=l | eval name="D" | timechart count

What is the best way to approach it, if it is doable at all?
Thanks in advance

0 Karma

somesoni2
Revered Legend

Since, the field name is a custom eval field, a direct drilldown will not be available. You'd need to setup custom drilldown search based on the name value clicked.

<table>
....
<drilldown>
    <eval token="index">case("$click.value2$"="B","x","$click.value2$"="C","z","$click.value2$"="D","w","$click.value2$"="E","f")</eval>
    <eval token="host">case("$click.value2$"="B","y","$click.value2$"="C","u","$click.value2$"="D","l","$click.value2$"="E","p")</eval>
</drilldown>
</table>
</row>
<row>
<panel depends="$index$">
<chart>
....
<search>
    <query>index=$index$ host=$host$ | timechart count</query>
.....
...
0 Karma

giovere
Path Finder

Thanks for the answer, apparently I'm missing something, when I click on cell it does not trigger anything. Maybe I should make something like: "set token", are you sure about syntax with $click.value2$, what is 2 at the end doing?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...