Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create drilldown with row?

aditsss
Motivator
‎08-01-2023 12:38 PM

Hi Team,

I have created below query to create drill down and show raw logs but its not working for me.

Can someone please help me with it.

<row>
<panel>
<title>Association BalanceStatistics - Send</title>
<table>
<search>
<query>index="abc*" sourcetype=600000304_gg_abs_ipc2 " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData totalOutputRecords=(?&lt;totalOutputRecords&gt;), totalInputRecords=(?&lt;totalInputRecords&gt;),busDt=(?&lt;busDt&gt;),fileName=(?&lt;fileName&gt;),totalClosingBal=(?&lt;totalClosingBal&gt;)"|table _time totalOutputRecords totalInputRecords busDt fileName totalClosingBal|sort _time</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>
</drilldown>
</table>
</panel>
</row>

Labels (3)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 02:41 PM

Your rex command does not extract the fields that you want - please refer to the other teachings we have been trying to give you.

Also, $click.value1$ may not be the token you want from the drilldown. See this post for token names Solved: Re: Dynamic Drilldown view based on selected cell'... - Splunk Community

0 Karma
Reply

aditsss
Motivator
‎08-01-2023 10:20 PM

@ITWhisperer 

I tried this but still drilldown is not working

<row>
<panel>
<title>Association BalanceStatistics - Receive(ControlFileData)</title>
<table>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" " AssociationProcessor* associationStats={}] ---- controlFileData: ControlFileData" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " AssociationProcessor* - associationStats={}] ---- controlFileData: ControlFileData ,busDate=(?&lt;busDate&gt;),fileSequenceNum=(?&lt;fileSequenceNum&gt;),totalRecordsWritten=(?&lt;totalRecordsWritten&gt;),totalRecords=(?&lt;totalRecords&gt;),totalClosingBal=(?&lt;totalClosingBal&gt;)"|rex "fileName=(?&lt;fileName&gt;SETTLEMENT_TRANSFORM_ASSOCIATION)"|table _time fileName busDate fileSequenceNum totalRecordsWritten totalRecords totalClosingBal|search fieldname="$click.value$" | where fieldname2="$busDate$"|sort _time</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="busDate">$click.value$</set>
</drilldown>
</table>
</panel>
</row>

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 10:29 PM

This looks like the panel you are drilling down to - the panel you are drilling down from i.e. the bar chart panel, should set the busDate token based on $click.value$ and this panel should use the $busDate$ token to filter its search

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...