How to create contextual drilldown from table to t...

giovere · ‎09-16-2016

I'm trying to make a dashboard, so far I have a table which derived from multisearch, because set of fields is different:

| multisearch [search index=x host=y | eval name="A"]
[search index=x host=y | eval name="B"]
[search index=z host=u | eval name="C"]
[search index=w host=l | eval name="D"]
[search index=f host=p | eval name="E"] | stats count by name

Ideally I'd like to have contextual drilldown which would generate a timechart depending on the selected row.
For example if Name D is selected following timechart should be displayed:

search index=w host=l | eval name="D" | timechart count

What is the best way to approach it, if it is doable at all?
Thanks in advance

somesoni2 · ‎09-16-2016

Since, the field name is a custom eval field, a direct drilldown will not be available. You'd need to setup custom drilldown search based on the name value clicked.

<table>
....
<drilldown>
    <eval token="index">case("$click.value2$"="B","x","$click.value2$"="C","z","$click.value2$"="D","w","$click.value2$"="E","f")</eval>
    <eval token="host">case("$click.value2$"="B","y","$click.value2$"="C","u","$click.value2$"="D","l","$click.value2$"="E","p")</eval>
</drilldown>
</table>
</row>
<row>
<panel depends="$index$">
<chart>
....
<search>
    <query>index=$index$ host=$host$ | timechart count</query>
.....
...

giovere · ‎09-17-2016

Thanks for the answer, apparently I'm missing something, when I click on cell it does not trigger anything. Maybe I should make something like: "set token", are you sure about syntax with $click.value2$, what is 2 at the end doing?

How to create contextual drilldown from table to timechart with different searches?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...