Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return details from a results bar graph into a separate table?

KalebeRS
Explorer
‎08-03-2023 01:02 AM

Hello, I have this code for a clickable chart to show details about the bar graph printed bellow:


index="" host= sourcetype=csv source=C:\\....\\*
| dedup source iswID iswCQR iswCC
| table iswID iswTitle iswCQR iswCCsource
| where iswCQR !=""
| eval YYYY_CW_DD=split(source,"\\")
| eval YYYY_CW_DD=substr(mvindex(YYYY_CW_DD, mvcount(YYYY_CW_DD)-1),1,11)
| eval test1=if((iswCC="New Requirement") and (iswCQR !="No" and iswCQR !="Quoted" and iswCQR !="Accepted"), 1,0)
| stats sum(test1) as "New requirement without No, Quoted, Accepted" by YYYY_CW_DD
| where YYYY_CW_DD="$date2$"
| where "New requirement without No, Quoted, Accepted"="$yaxis2$"

The drilldown token is set as $date2$ = $click.value$ and $yaxis2$=$click.name2$

The chart code is almost the same as this, besides the addition of the drilldown tokens

 

The goal is to show in the details table all the ID's that are summed inside the bar graph, for instance, the 86 values in the bar (showed in the print bellow)  should return the 86 IDs listed in the table.

KalebeRS_0-1691049697096.png

 


How can I do that?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-03-2023 02:05 AM

Try something like this

index="" host= sourcetype=csv source=C:\\....\\*
| dedup source iswID iswCQR iswCC
| table iswID iswTitle iswCQR iswCCsource
| where iswCQR !=""
| eval YYYY_CW_DD=split(source,"\\")
| eval YYYY_CW_DD=substr(mvindex(YYYY_CW_DD, mvcount(YYYY_CW_DD)-1),1,11)
| where YYYY_CW_DD="$date2$"
| where (iswCC="New Requirement") and (iswCQR !="No" and iswCQR !="Quoted" and iswCQR !="Accepted")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-03-2023 02:05 AM

Try something like this

index="" host= sourcetype=csv source=C:\\....\\*
| dedup source iswID iswCQR iswCC
| table iswID iswTitle iswCQR iswCCsource
| where iswCQR !=""
| eval YYYY_CW_DD=split(source,"\\")
| eval YYYY_CW_DD=substr(mvindex(YYYY_CW_DD, mvcount(YYYY_CW_DD)-1),1,11)
| where YYYY_CW_DD="$date2$"
| where (iswCC="New Requirement") and (iswCQR !="No" and iswCQR !="Quoted" and iswCQR !="Accepted")
0 Karma
Reply
Solved! Jump to solution

KalebeRS
Explorer
‎08-03-2023 03:28 AM

Do you have any tip for graphs that have two or more fields? Same case as my first question, but in this case now I have two fields.

 

index="" host= sourcetype=csv source=C:\\.....\\*
| dedup source LCS ID
| table ID Title source LCS SWVersion pverLCS
| where pverLCS!="Closed" and pverLCS!="Canceled"
| search pverSWVersion=$sw_version_filter$
| eval YYYY_CW_DD=split(source,"\\")
| eval YYYY_CW_DD=substr(mvindex(YYYY_CW_DD, mvcount(YYYY_CW_DD)-1),1,11)
| where YYYY_CW_DD="$date3$"
| eval test1=if(LCS!="Planned" and LCS!="Implemented" and LCS!="Qualified" and LCS!="Canceled",1,0)
| eval test2=if(LCS="Planned" or LCS="Implemented" or LCS="Qualified" or LCS="Canceled",1,0)
| fields - source LCS SWVersion pverLCS YYYY_CW_DD test1 test2

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-03-2023 03:42 AM

The search doesn't look quite right, your table commands defines the fields you want near the start, but the fields command removes most of them just leaving you with ID and Title; is that what you want in your table?

Assuming this is what you want, what search are you using for your chart?

0 Karma
Reply
Solved! Jump to solution

KalebeRS
Explorer
‎08-03-2023 04:07 AM

Almost the same besides the sum for the two evals for the results.

What I need in the details table is just the ID's and titles. Same as my original question, but with two fields now.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-03-2023 04:21 AM

"Almost the same" does say what the two fields are called.

In the drilldown from the first chart, you could set a token "test_result", which is set to 1 if one column is selected ($click.name2$ == "New requirement without No, Quoted, Accepted") and 0 if the other column is selected.

<eval token="test_result">if($click.name2$ == "New requirement without No, Quoted, Accepted", 1, 0)</eval>

 Then change your search to check this new token

index="" host= sourcetype=csv source=C:\\.....\\*
| dedup source LCS ID
| table ID Title source LCS SWVersion pverLCS
| where pverLCS!="Closed" and pverLCS!="Canceled"
| search pverSWVersion=$sw_version_filter$
| eval YYYY_CW_DD=split(source,"\\")
| eval YYYY_CW_DD=substr(mvindex(YYYY_CW_DD, mvcount(YYYY_CW_DD)-1),1,11)
| where YYYY_CW_DD="$date3$"
| where (LCS!="Planned" and LCS!="Implemented" and LCS!="Qualified" and LCS!="Canceled" and $test_result$ == 1) OR $test_result$ != 1
| fields - source LCS SWVersion pverLCS YYYY_CW_DD test1 test2
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...