How to edit the XML for my dashboard table drilldo...

prisin123 · ‎08-08-2016

Hi,

My team and I are working on a project and we are trying to open data logs within our dashboard. Our current XML code enables us to open the data logs in the dashboard, but it opens all the logs within the server. So given any attribute that we click on the table, all the data logs are displayed instead of just the data log specific to that attribute. Is there a way I can fix that so only the log related to the attribute is displayed? This is the XML source we have so far:

UPDATE
The logs are being displayed but now for example if I click on a specific ConnID all the logs with that same connID is being displayed. Is there a way to write the query such that only the log related to that specific ConnID and Event that's being clicked on is open?

<form>
    <label>Genesys Search Test</label>
    <fieldset submitButton="false" autoRun="true">
        <input type="text" token="tok_ID" searchWhenChanged="true">
            <label>ConnID/CallUUID</label>
            <default>*</default>
        </input>
    </fieldset>
    <row>
        <panel>
            <title>Genesys Server</title>
            <table>
                <title>Avaya Tserver</title>
                <search>
                    <query>index=windowsapps sourcetype=Genesys_AvayaTserver "$tok_ID$" | rex"(Trc|Adjusted|distribute_event|distribute_user_event|send_to_client|distribute_response):?\s\w+\s(?&lt;EventName&gt;\w+)"| rex"AttributeConnID'?\s'?(?&lt;AttributeConnID&gt;[^\t\n\r]+)"| rex"AttributeANI'?\s'?(?&lt;AttributeANI&gt;[^\t\n\r]+)"| rex"AttributeDNIS'?\s'?(?&lt;AttributeDNIS&gt;[^\t\n]+)"| rex"AttributeCallType'?\s'?(?&lt;AttributeCallType&gt;[^\t\n]+)"|rex"AttributeCallUUID'?\s'?(?&lt;AttributeCallUUID&gt;[^\t\n]+)"|rex"AttributeUserData'?\s'?(?&lt;AttributeUserData&gt;[^\t\n]+)"|table_time EventName AttributeConnID AttributeANI AttributeDNIS AttributeCallType AttributeCallUUID AttributeUserData| where isnotnull(AttributeANI)</query>
                    <earliest>-30d@d</earliest>
                    <latest>now</latest>
                </search>
                <drilldown>
                    <condition>
                        <set token="tok_ShowEvents">true</set>
                        <eval token="e">$click.value$-1</eval >
                        <eval token="l">$click.value$+1</eval >
                        <set token="AttributeConnID">$row.AttributeConnID$</set>
                        <set token="AttributeANI">$row.AttributeANI$</set>
                        <set token="AttributeCallType">$row.AttributeCallType$</set>
                        <set token="AttributeDNIS">$row.AttributeDNIS$</set>
                        <set token="AttributeCallUUID">$row.AttributeCallUUID$</set>
                    </condition>
                </drilldown>
                <option name="wrap">undefined</option>
                <option name="rowNumbers">undefined</option>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart">bubble</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <option name="charting.chart.showDataLabels">none</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
                <option name="dataOverlayMode">none</option>
                <option name="drilldown">row</option>
                <option name="count">10</option>
            </table>
        </panel>
    </row>
    <row>
        <panel depends="$tok_ShowEvents$">
            <event>
                <search>
                    <query>index=windowsapps sourcetype=Genesys_AvayaTserver earliest=$e$ latest=$l$ | rex "(Trc|Adjusted|distribute_event|distribute_user_event|send_to_client|distribute_response):?\s\w+\s(?&lt;EventName&gt;\w+)"| rex "AttributeConnID'?\s'?(?&lt;AttributeConnID&gt;[^\t\n\r]+)"| rex "AttributeANI'?\s'?(?&lt;AttributeANI&gt;[^\t\n\r]+)"| rex "AttributeDNIS'?\s'?(?&lt;AttributeDNIS&gt;[^\t\n]+)"| rex "AttributeCallType'?\s'?(?&lt;AttributeCallType&gt;[^\t\n]+)"| rex "AttributeCallUUID'?\s'?(?&lt;AttributeCallUUID&gt;[^\t\n]+)"| rex "AttributeUserData'?\s'?(?&lt;AttributeUserData&gt;[^\t\n]+)"</query>
                    <earliest></earliest>
                    <latest></latest>
                </search>
            </event>
        </panel>
    </row>
</form>

vasanthmss · ‎08-08-2016

you can filter the assigned tokens in the second search (I have added one attribute AttributeConnID. you can add required.

index=windowsapps sourcetype=Genesys_AvayaTserver earliest=$e$ latest=$l$ | rex "(Trc|Adjusted|distribute_event|distribute_user_event|send_to_client|distribute_response):?\s\w+\s(?<EventName>\w+)"| rex "AttributeConnID'?\s'?(?<AttributeConnID>[^\t\n\r]+)"| rex "AttributeANI'?\s'?(?<AttributeANI>[^\t\n\r]+)"| rex "AttributeDNIS'?\s'?(?<AttributeDNIS>[^\t\n]+)"| rex "AttributeCallType'?\s'?(?<AttributeCallType>[^\t\n]+)"| rex "AttributeCallUUID'?\s'?(?<AttributeCallUUID>[^\t\n]+)"| rex "AttributeUserData'?\s'?(?<AttributeUserData>[^\t\n]+)" | where AttributeConnID=$AttributeConnID$

Updated....

<form>
     <label>Genesys Search Test</label>
     <fieldset submitButton="false" autoRun="true">
         <input type="text" token="tok_ID" searchWhenChanged="true">
             <label>ConnID/CallUUID</label>
             <default>*</default>
         </input>
     </fieldset>
     <row>
         <panel>
             <title>Genesys Server</title>
             <table>
                 <title>Avaya Tserver</title>
                 <search>
                     <query>index=windowsapps sourcetype=Genesys_AvayaTserver "$tok_ID$" | rex"(Trc|Adjusted|distribute_event|distribute_user_event|send_to_client|distribute_response):?\s\w+\s(?&lt;EventName&gt;\w+)"| rex"AttributeConnID'?\s'?(?&lt;AttributeConnID&gt;[^\t\n\r]+)"| rex"AttributeANI'?\s'?(?&lt;AttributeANI&gt;[^\t\n\r]+)"| rex"AttributeDNIS'?\s'?(?&lt;AttributeDNIS&gt;[^\t\n]+)"| rex"AttributeCallType'?\s'?(?&lt;AttributeCallType&gt;[^\t\n]+)"|rex"AttributeCallUUID'?\s'?(?&lt;AttributeCallUUID&gt;[^\t\n]+)"|rex"AttributeUserData'?\s'?(?&lt;AttributeUserData&gt;[^\t\n]+)"|table_time EventName AttributeConnID AttributeANI AttributeDNIS AttributeCallType AttributeCallUUID AttributeUserData| where isnotnull(AttributeANI)</query>
                     <earliest>-30d@d</earliest>
                     <latest>now</latest>
                 </search>
                 <drilldown>
                     <condition>
                         <set token="tok_ShowEvents">true</set>
                         <set token="AttributeConnID">$row.AttributeConnID$</set>
                         <set token="AttributeANI">$row.AttributeANI$</set>
                         <set token="AttributeCallType">$row.AttributeCallType$</set>
                         <set token="AttributeDNIS">$row.AttributeDNIS$</set>
                         <set token="AttributeCallUUID">$row.AttributeCallUUID$</set>
                     </condition>
                 </drilldown>
                 <option name="wrap">undefined</option>
                 <option name="rowNumbers">undefined</option>
                 <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                 <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                 <option name="charting.axisTitleX.visibility">visible</option>
                 <option name="charting.axisTitleY.visibility">visible</option>
                 <option name="charting.axisTitleY2.visibility">visible</option>
                 <option name="charting.axisX.scale">linear</option>
                 <option name="charting.axisY.scale">linear</option>
                 <option name="charting.axisY2.enabled">0</option>
                 <option name="charting.axisY2.scale">inherit</option>
                 <option name="charting.chart">bubble</option>
                 <option name="charting.chart.bubbleMaximumSize">50</option>
                 <option name="charting.chart.bubbleMinimumSize">10</option>
                 <option name="charting.chart.bubbleSizeBy">area</option>
                 <option name="charting.chart.nullValueMode">gaps</option>
                 <option name="charting.chart.showDataLabels">none</option>
                 <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                 <option name="charting.chart.stackMode">default</option>
                 <option name="charting.chart.style">shiny</option>
                 <option name="charting.drilldown">all</option>
                 <option name="charting.layout.splitSeries">0</option>
                 <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
                 <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                 <option name="charting.legend.placement">right</option>
                 <option name="dataOverlayMode">none</option>
                 <option name="drilldown">row</option>
                 <option name="count">10</option>
             </table>
         </panel>
     </row>
     <row>
         <panel depends="$tok_ShowEvents$">
             <event>
                 <search>
                     <query>index=windowsapps sourcetype=Genesys_AvayaTserver "$tok_ID$"  | rex "(Trc|Adjusted|distribute_event|distribute_user_event|send_to_client|distribute_response):?\s\w+\s(?&lt;EventName&gt;\w+)"| rex "AttributeConnID'?\s'?(?&lt;AttributeConnID&gt;[^\t\n\r]+)"| rex "AttributeANI'?\s'?(?&lt;AttributeANI&gt;[^\t\n\r]+)"| rex "AttributeDNIS'?\s'?(?&lt;AttributeDNIS&gt;[^\t\n]+)"| rex "AttributeCallType'?\s'?(?&lt;AttributeCallType&gt;[^\t\n]+)"| rex "AttributeCallUUID'?\s'?(?&lt;AttributeCallUUID&gt;[^\t\n]+)"| rex "AttributeUserData'?\s'?(?&lt;AttributeUserData&gt;[^\t\n]+)" | where AttributeConnID="$AttributeConnID$" AND AttributeANI="$AttributeANI$" AND AttributeCallType="$AttributeCallType$" AND AttributeDNIS="$AttributeDNIS$" AND AttributeCallUUID="$AttributeCallUUID$" </query>
                      <earliest>-30d@d</earliest>
                     <latest>now</latest>
                 </search>
             </event>
         </panel>
     </row>
 </form>

V

prisin123 · ‎08-08-2016

using that for the second query gives me "Error in 'where' command: The operator at 'f51958b' is invalid. "

somesoni2 · ‎08-08-2016

Put the token value within double quotes for where command OR use the search command instead

...remaining portion | where AttributeConnID="$AttributeConnID$"

OR

...remaining portion | search AttributeConnID=$AttributeConnID$

prisin123 · ‎08-08-2016

This works but it's still displaying all the logs

somesoni2 · ‎08-08-2016

I see you're creating 5 tokens from drilldown section on the first table, so add all those field comparison in the where clause, as oppose to just one you're doing currently.

prisin123 · ‎08-08-2016

So I tried doing the using the logical operators when I use OR all the logs are still being displayed and with AND I get a "Search did not return any events. " message

somesoni2 · ‎08-08-2016

So, your second search looks like this now?

...remaining portion | where AttributeConnID=$row.AttributeConnID$" AND AttributeANI="$AttributeANI$" AND  AttributeCallType="$AttributeCallType$" AND  AttributeDNIS="$AttributeDNIS$" AND  AttributeCallUUID="$AttributeCallUUID$"

prisin123 · ‎08-09-2016

Is there anything else that I can try?

vasanthmss · ‎08-11-2016

open the search string in search window and check the tokens are populated properly. make sure the following,

while setting token use row. eg. row.AttributeConnID$. here AttributeConnID should be available in the table row.
while using the token you should use the assigned name

< set token="token_used_in_search" >$row.field_avilable_in_table$< /set >

***there will not be any space

V

prisin123 · ‎08-12-2016

I currently have panel depends="$tok_ShowEvents$"> where am I supposed to add the set token="token_used_in_search"?

vasanthmss · ‎08-16-2016

Look for the updated xml in the answer hope this will helps you

V

prisin123 · ‎08-08-2016

Yes, that's what my second search looks like, except instead of being "$row.AttributeConnID$" it's "$rAttributeConnID$" but I tried it with "row" and I get a search is waiting input message

How to edit the XML for my dashboard table drilldown to only display log data specific to the attribute I click on?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)