Dashboards & Visualizations
Highlighted

How to pass my current search result as a variable to the next dynamic drilldown search?

Path Finder

Hi
I have a two panel dashboard. If I select the process from the first panel, then I want the process related logs to be displayed in between the time range will display in the second panel
i have used dynamic drilldown to display the _raw data in the second panel

process         START_TIME          END_TIME            Duration            PID
PR_FileWorker_AA    01/10/17 01:00:01   01/10/17 01:03:49   227         30387
PR_FileWorker_AA    01/09/17 13:15:01   01/09/17 13:15:43   42          11077

in my drilldown panel search would be like , search based on the process related all the logs should display between STARTTIME, ENDTIME time frame i need to pass Process, STARTTIME, ENDTIME are the variables for the drilldown panel

0 Karma
Highlighted

Re: How to pass my current search result as a variable to the next dynamic drilldown search?

SplunkTrust
SplunkTrust

What you need is the contextual drilldown (in-page drilldown) where you'll set tokens to capture process, STARTTIME and ENDTIME from the row that user has clicked and pass it on to the second panel search. See this for an example for it.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Understandbasictableandchartdrilldownactions#C...

0 Karma
Highlighted

Re: How to pass my current search result as a variable to the next dynamic drilldown search?

Path Finder

HI soni,
First thanks for reply.
what am exactly expecting is. first search giving process,STARTTIME ,ENDTIME . and i want to pass those process ,STARTTIME and ENDTIME to the Contextual drilldown pannels search inputs queary like
source =source Process=$process STARTTIME=$STARTTIME$ ENDTIME=$ENDTIME$

0 Karma
Highlighted

Re: How to pass my current search result as a variable to the next dynamic drilldown search?

SplunkTrust
SplunkTrust

Yes, the example in the link shows you exactly the same, but with just one field being passed. What you need to do is to just 3 <set token= for your 3 fields that you want to pass and use the query the way you described in above comment.

0 Karma