Dashboards & Visualizations

How to highlight events in panel of dashboard based on token in second panel?

Explorer

Hi Splunkers,

I have a dashboard in Splunk Cloud with total 3 panels. On click of first panel, which is a Statistics table, it drills down to two other panels, which are Statistics Table and Events, respectively. The user wants the corresponding events to get highlighted or color to be changed in the third panel when a row/cell is clicked in second panel(Table), for better visibility. Is this possible to achieve? Please suggest.

Thanks in advance

Bhagyashriyan

0 Karma

Esteemed Legend
0 Karma

Explorer

@woodcock, I am working in Splunk Cloud. I tried with highlight command and also panel type is raw but it is not working 😞

0 Karma

Esteemed Legend

If the sencond panel shows raw events, we can exploit the feature that anything that is in the base search is highlighted automatically.
So just include the stuff to highlight as a token that is set in the first panel, add this token to the base search for the other panel with AND ($YourTokenHere$) which will cause the search to be rerun (the results will be the same) but now you have the for-free highlighting.

Legend

@woodcock, while effect of this is the same as highlight command, the moment we save the search to Dashboard (even with the visualization as Event Viewer), the highlights disappear. I had not checked this in any previous version of Splunk but feel like if we can not save the highlighted search text to Dashboard this feature is not that useful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Esteemed Legend

I have it working since v6.?. I am looking at it now on a panel in v7.0. It works.

Legend

Thanks for the comment. This was strange I was trying on fresh install of 7.0.1 and highlight was not working. I looked at the Event Viewer Simple XML configuration and mine was list by default instead of raw. So there is an additional Simple XML change required:

<option name="type">raw</option>

Instead of default

<option name="type">list</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Esteemed Legend

I did say "raw events"! 😆

Esteemed Legend

There is also a command for this. See my other answer.

0 Karma

Legend

[Updated]

Thanks to @woodcock for help with this. The highlight command will highlight text in Dashboard panel provided Event view's type is raw and not list or table.

<option name="type">raw</option>

Please try the updated Run any where dashboard below.


@bhagyashriyan, if you are using a drilldown from second panel(Table) to open new Search Window with events then you can use | highlight <YourEventValueToBeHighlighted>. However, it will not be highlighted in event viewer unless type is set to raw (default it list). (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Highlight)

Try the following run anywhere dashboard.

<dashboard>
  <label>Drilldown Highlight Events</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
|  chart count over component by log_level 
|  head 10</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="component">
            <set token="tokFieldName">$click.name$</set>
            <set token="tokDrilldown">$click.value$</set>
          </condition>
          <condition>
            <set token="tokFieldName">log_level</set>
            <set token="tokDrilldown">$click.name2$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$tokDrilldown$">
    <panel>
      <title>Events $tokDrilldown$</title>
      <event>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO" $tokFieldName$="$tokDrilldown$"
|  highlight $tokDrilldown$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">raw</option>
      </event>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

@niketnilay, There is no drilldown from 2nd panel. 2nd and 3rd panel together drills down from Ist panel. Does highlighter work between panels in the same dashboard?

0 Karma

Legend

I had mentioned that based on your question changed in the third panel when a row/cell is clicked in second panel(Table). However, whether drilldown is from first or second panel is not the issue, issue is that highlight command will not work in Dashboard. 😞

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

Ok @niketnilay. Thanks for the response

0 Karma

Legend

@bhagyashriyan, you should reach out to Splunk Support if it is not working on Splunk cloud.
I tried the run any where dashboard and it worked fine for me after <event> panel had <option name="type">raw</type>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

Ok @niketnilay, Thanks for suggestion.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!