Re: How to create drilldown with row

aditsss · ‎08-01-2023

Hi Team,

I have created below query to create drill down and show raw logs but its not working for me.

Can someone please help me with it.

<row>
<panel>
<title>Association BalanceStatistics - Send</title>
<table>
<search>
<query>index="abc*" sourcetype=600000304_gg_abs_ipc2 " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData totalOutputRecords=(?<totalOutputRecords>), totalInputRecords=(?<totalInputRecords>),busDt=(?<busDt>),fileName=(?<fileName>),totalClosingBal=(?<totalClosingBal>)"|table _time totalOutputRecords totalInputRecords busDt fileName totalClosingBal|sort _time</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>
</drilldown>
</table>
</panel>
</row>

ITWhisperer · ‎08-01-2023

Your rex command does not extract the fields that you want - please refer to the other teachings we have been trying to give you.

Also, $click.value1$ may not be the token you want from the drilldown. See this post for token names Solved: Re: Dynamic Drilldown view based on selected cell'... - Splunk Community

aditsss · ‎08-01-2023

@ITWhisperer

I tried this but still drilldown is not working

<row>
<panel>
<title>Association BalanceStatistics - Receive(ControlFileData)</title>
<table>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" " AssociationProcessor* associationStats={}] ---- controlFileData: ControlFileData" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " AssociationProcessor* - associationStats={}] ---- controlFileData: ControlFileData ,busDate=(?<busDate>),fileSequenceNum=(?<fileSequenceNum>),totalRecordsWritten=(?<totalRecordsWritten>),totalRecords=(?<totalRecords>),totalClosingBal=(?<totalClosingBal>)"|rex "fileName=(?<fileName>SETTLEMENT_TRANSFORM_ASSOCIATION)"|table _time fileName busDate fileSequenceNum totalRecordsWritten totalRecords totalClosingBal|search fieldname="$click.value$" | where fieldname2="$busDate$"|sort _time</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="busDate">$click.value$</set>
</drilldown>
</table>
</panel>
</row>

ITWhisperer · ‎08-01-2023

This looks like the panel you are drilling down to - the panel you are drilling down from i.e. the bar chart panel, should set the busDate token based on $click.value$ and this panel should use the $busDate$ token to filter its search

How to create drilldown with row?

chart

drilldown

panel

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?