Hi Splunkers,
I have a dashboard in Splunk Cloud with total 3 panels. On click of first panel, which is a Statistics table, it drills down to two other panels, which are Statistics Table and Events, respectively. The user wants the corresponding events to get highlighted or color to be changed in the third panel when a row/cell is clicked in second panel(Table), for better visibility. Is this possible to achieve? Please suggest.
Thanks in advance
Bhagyashriyan
You need the highlight
command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Highlight
@woodcock, I am working in Splunk Cloud. I tried with highlight command and also panel type is raw but it is not working 😞
If the sencond panel shows raw events, we can exploit the feature that anything that is in the base search is highlighted automatically.
So just include the stuff to highlight as a token that is set in the first panel, add this token to the base search for the other panel with AND ($YourTokenHere$)
which will cause the search to be rerun (the results will be the same) but now you have the for-free highlighting.
@woodcock, while effect of this is the same as highlight command, the moment we save the search to Dashboard (even with the visualization as Event Viewer), the highlights disappear. I had not checked this in any previous version of Splunk but feel like if we can not save the highlighted search text to Dashboard this feature is not that useful.
I have it working since v6.?. I am looking at it now on a panel in v7.0. It works.
Thanks for the comment. This was strange I was trying on fresh install of 7.0.1 and highlight was not working. I looked at the Event Viewer Simple XML configuration and mine was list
by default instead of raw
. So there is an additional Simple XML change required:
<option name="type">raw</option>
Instead of default
<option name="type">list</option>
I did say "raw events"! 😆
There is also a command for this. See my other answer.
[Updated]
Thanks to @woodcock for help with this. The highlight command will highlight text in Dashboard panel provided Event view's type
is raw
and not list
or table
.
<option name="type">raw</option>
Please try the updated Run any where dashboard below.
@bhagyashriyan, if you are using a drilldown from second panel(Table) to open new Search Window with events then you can use | highlight <YourEventValueToBeHighlighted>
. However, it will not be highlighted in event viewer unless type
is set to raw
(default it list
). (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Highlight)
Try the following run anywhere dashboard.
<dashboard>
<label>Drilldown Highlight Events</label>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd log_level!="INFO"
| chart count over component by log_level
| head 10</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<condition field="component">
<set token="tokFieldName">$click.name$</set>
<set token="tokDrilldown">$click.value$</set>
</condition>
<condition>
<set token="tokFieldName">log_level</set>
<set token="tokDrilldown">$click.name2$</set>
</condition>
</drilldown>
</table>
</panel>
</row>
<row depends="$tokDrilldown$">
<panel>
<title>Events $tokDrilldown$</title>
<event>
<search>
<query>index=_internal sourcetype=splunkd log_level!="INFO" $tokFieldName$="$tokDrilldown$"
| highlight $tokDrilldown$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="list.drilldown">none</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">raw</option>
</event>
</panel>
</row>
</dashboard>
@niketnilay, There is no drilldown from 2nd panel. 2nd and 3rd panel together drills down from Ist panel. Does highlighter work between panels in the same dashboard?
I had mentioned that based on your question changed in the third panel when a row/cell is clicked in second panel(Table)
. However, whether drilldown is from first or second panel is not the issue, issue is that highlight
command will not work in Dashboard. 😞
Ok @niketnilay. Thanks for the response
@bhagyashriyan, you should reach out to Splunk Support if it is not working on Splunk cloud.
I tried the run any where dashboard and it worked fine for me after <event>
panel had <option name="type">raw</type>
Ok @niketnilay, Thanks for suggestion.