Dashboards & Visualizations

How to pass values of a dashboard panel to a drill-down, but NOT the click.values

tomsetti
Engager

The use case is this: I have a dashboard with a chart on it that shows the count of soap Faults for various Services over 4 hourly Time Buckets. The chart is shown as a line graph with a separate line for each Service (fault counts on Y-axis, time bucket on the X-axis). I'd like to click on a "cell" and bring-up a table showing the count of faults broken-out by FaultCode for the Service and Time Bucket where I clicked. So, the table will only be for a single Service and a single time bucket, but will show the count for each FaultCode for that Service in that time bucket. Using the "click.value" and "click.value2" facilities, I can only pass the count of faults - I cannot find a way to pass the Service name to the drill-down search. Intentions do not seem able to pass information from the legend to the drill-down search; but I cannot find any other way to do this either.

Any and all pointers are welcomed.

After a little thought... I suppose this would be challenging where the lines overlap; it would be difficult for Splunk to know which Service to show in the drill-down table. Perhaps access via the legend will do.

I see how to use click.value and click.value2 to get the X and Y values from a chart, but I don't see a way to pass the value I click on the legend to a drill-down table. Does anyone know a way to do that?

Looks like the "drill-down from legend" is supposed to be built-in; but when I click on a dashboard chart that I build with the "simple" XML, then converted to the "advanced XML", this feature does not work. Instead, I get some error messages:

(1) "Encountered an unexpected error while parsing intentions."
(2) "PARSER: Applying intentions failed Drilldown error: unable to drill down on legend 'NetworkService'"

Below is the chunk of XML for that chart; there are no declared intentions, but I don't know how to do that for the legend (cannot find anything in the docs for that).

When I try the "legend click" on an older version that has not been converted to the "advanced XML", it also fails in the same way; so, perhaps the conversion has nothing to do with this problem. Meanwhile another very similar chart allows the automatic legend-click drill-down with no errors; this seems broken.

  <module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" group="Hourly Fault Count for Selected Services" autoRun="True">
    <param name="savedSearch">Hourly Fault Count for Selected Services</param>
    <param name="groupLabel">Hourly Fault Count for Selected Services</param>
    <module name="ViewstateAdapter">
      <param name="savedSearch">Hourly Fault Count for Selected Services</param>
      <module name="HiddenFieldPicker">
        <param name="strictMode">True</param>
        <module name="JobProgressIndicator">
          <module name="EnablePreview">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="HiddenChartFormatter">
              <module name="FlashChart">
                <param name="width">100%</param>
                <module name="ConvertToDrilldownSearch">
                  <module name="ViewRedirector">
                    <param name="viewTarget">flashtimeline</param>
                  </module>
                </module>
              </module>
              <module name="ViewRedirectorLink">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
Tags (2)

sideview
SplunkTrust
SplunkTrust

Something a little unusual in the search language is causing the intention code to not work. The "ConvertToDrilldownSearch" module by the way is the module that's bringing intentions into the picture.

If you paste in the search syntax we might be able to help tweak it so as to not trigger this intention bug. However the best thing to do is probably to start using Sideview Utils, which is an app I develop to make a lot of things a lot easier and more transparent. Drilldowns are definitely one of those things. Incidentally the 'split-by' fields are available downstream from SimpleResultsTable and FlashChart modules as "click.name2".

To take a simple example, if you wanted to run a second search for just that NetworkService value, and display a couple properties in raw text, you could use the Sideview modules "Search" and "HTML" like so. (Along the way I cleaned up a bunch of syntax mistakes that got introduced when this was converted from the simple xml)

<module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" group="Hourly Fault Count for Selected Services" autoRun="True">
  <param name="savedSearch">Hourly Fault Count for Selected Services</param>
  <module name="ViewstateAdapter">
    <param name="savedSearch">Hourly Fault Count for Selected Services</param>
    <module name="JobProgressIndicator" />
    <module name="EnablePreview">
      <param name="enable">True</param>
      <param name="display">False</param>
    </module>
    <module name="HiddenChartFormatter">
      <module name="FlashChart">
        <param name="width">100%</param>

        <module name="Search">
          <param name="search">
            NetworkService="$click.name2$" ((some search terms and probably a stats command, to go get a single row of properties for this service))
          </param>

          <module name="HTML">
            <param name="html"><![CDATA[
              someProperty: $results[0].someFieldName$<br>
              someOtherProperty: $results[0].someOtherFieldName$
            ]]></param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

tomsetti
Engager

Hi Nick. Thanks for the response. When you suggested that the search might be written differently, I re-wrote a part of it. The "timechart" section was using individually written terms to make the columns show-up. Now, instead, I reference a field defined in the body of the search "| eval columnName=substr(sourcetype, 0, len(sourcetype)-9)" so the "timechart" term looks like this: "| timechart span=1h partial=false count by columnName". With that change, the "built-in" drill-down on the legend started working. I suspect that if I use the "click.name2" now, I'll be able to do something more interesting with the drill-down. Also, asked my Splunk Admin to install your Sideview extension / add-on for Splunk. Once that happens, I'll give it a try. Thanks for making that contribution to the Splunk community - one of the architects at Splunk spoke very highly of it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...