Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to highlight events in panel of dashboard based on token in second panel?

bhagyashriyan
Explorer
‎11-30-2017 11:39 PM

Hi Splunkers,

I have a dashboard in Splunk Cloud with total 3 panels. On click of first panel, which is a Statistics table, it drills down to two other panels, which are Statistics Table and Events, respectively. The user wants the corresponding events to get highlighted or color to be changed in the third panel when a row/cell is clicked in second panel(Table), for better visibility. Is this possible to achieve? Please suggest.

Thanks in advance

Bhagyashriyan

0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2017 06:07 PM

You need the highlight command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Highlight

Reply

bhagyashriyan
Explorer
‎12-05-2017 09:46 PM

@woodcock, I am working in Splunk Cloud. I tried with highlight command and also panel type is raw but it is not working 😞

0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2017 10:44 AM

If the sencond panel shows raw events, we can exploit the feature that anything that is in the base search is highlighted automatically.
So just include the stuff to highlight as a token that is set in the first panel, add this token to the base search for the other panel with AND ($YourTokenHere$) which will cause the search to be rerun (the results will be the same) but now you have the for-free highlighting.

Reply

niketn
Legend
‎12-03-2017 05:20 PM

@woodcock, while effect of this is the same as highlight command, the moment we save the search to Dashboard (even with the visualization as Event Viewer), the highlights disappear. I had not checked this in any previous version of Splunk but feel like if we can not save the highlighted search text to Dashboard this feature is not that useful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2017 06:00 PM

I have it working since v6.?. I am looking at it now on a panel in v7.0. It works.

Reply

niketn
Legend
‎12-03-2017 06:16 PM

Thanks for the comment. This was strange I was trying on fresh install of 7.0.1 and highlight was not working. I looked at the Event Viewer Simple XML configuration and mine was list by default instead of raw. So there is an additional Simple XML change required:

<option name="type">raw</option>

Instead of default

<option name="type">list</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

woodcock
Esteemed Legend
‎12-03-2017 06:28 PM

I did say "raw events"! 😆

Reply

woodcock
Esteemed Legend
‎12-03-2017 06:08 PM

There is also a command for this. See my other answer.

0 Karma
Reply

niketn
Legend
‎12-01-2017 12:14 AM

[Updated]

Thanks to @woodcock for help with this. The highlight command will highlight text in Dashboard panel provided Event view's type is raw and not list or table.

<option name="type">raw</option>

Please try the updated Run any where dashboard below.

@bhagyashriyan, if you are using a drilldown from second panel(Table) to open new Search Window with events then you can use | highlight <YourEventValueToBeHighlighted>. However, it will not be highlighted in event viewer unless type is set to raw (default it list). (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Highlight)

Try the following run anywhere dashboard.

<dashboard>
  <label>Drilldown Highlight Events</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
|  chart count over component by log_level 
|  head 10</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="component">
            <set token="tokFieldName">$click.name$</set>
            <set token="tokDrilldown">$click.value$</set>
          </condition>
          <condition>
            <set token="tokFieldName">log_level</set>
            <set token="tokDrilldown">$click.name2$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$tokDrilldown$">
    <panel>
      <title>Events $tokDrilldown$</title>
      <event>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO" $tokFieldName$="$tokDrilldown$"
|  highlight $tokDrilldown$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">raw</option>
      </event>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

bhagyashriyan
Explorer
‎12-01-2017 12:49 AM

@niketnilay, There is no drilldown from 2nd panel. 2nd and 3rd panel together drills down from Ist panel. Does highlighter work between panels in the same dashboard?

0 Karma
Reply

niketn
Legend
‎12-01-2017 12:52 AM

I had mentioned that based on your question changed in the third panel when a row/cell is clicked in second panel(Table). However, whether drilldown is from first or second panel is not the issue, issue is that highlight command will not work in Dashboard. 😞

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

bhagyashriyan
Explorer
‎12-01-2017 01:07 AM

Ok @niketnilay. Thanks for the response

0 Karma
Reply

niketn
Legend
‎12-05-2017 10:02 PM

@bhagyashriyan, you should reach out to Splunk Support if it is not working on Splunk cloud.
I tried the run any where dashboard and it worked fine for me after <event> panel had <option name="type">raw</type>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

bhagyashriyan
Explorer
‎12-05-2017 10:54 PM

Ok @niketnilay, Thanks for suggestion.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...