How to see each event separately in Dashboard?

Renunaren · ‎01-31-2023

I have a dashboard with column visualisation for the bars which Error, Success and Running event count details. I need to see the each events such as Error events seperately, Success events seperately, Running events seperately on clicking those bar charts. Need help on how to edit the drill downs.

ITWhisperer · ‎01-31-2023

Are you using Dashboard Studio or SimpleXML?

What do you have in your dashboard so far?

How do you want to display the details? In a separate window or additional panels in the same window?

Renunaren · ‎01-31-2023

Additional panels in the same window

Renunaren · ‎01-31-2023

I am using a simple xml dashboard like below

In the above column chart the green one indicates the success event count while the same with the blue one for running events count and the same yellow for the waiting events.

I want to edit a drill down in a same page of the dashboard by clicking on the above columns it has to show the events which has been created in the form of a table in the same dashboard

ITWhisperer · ‎01-31-2023

You can do something along these lines. $click.name2$ is the name of the series clicked, the drilldown conditionally sets up some tokens to enable to the display of the details panels

  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=1000
| eval state=mvindex(split("Running,Success,Wait",","),-1+floor(log(random()%1000,10)))
| eval x=random()%5
| eval value=random()%10
| chart sum(value) by x state</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <condition match="$click.name2$=&quot;Running&quot;">
            <set token="showrunning"></set>
            <set token="valuer">$click.value$</set>
          </condition>
          <condition match="$click.name2$=&quot;Success&quot;">
            <set token="showsuccess"></set>
            <set token="values">$click.value$</set>
          </condition>
          <condition match="$click.name2$=&quot;Wait&quot;">
            <set token="showwait"></set>
            <set token="valuew">$click.value$</set>
          </condition>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel depends="$showrunning$">
      <table>
        <search>
          <query>| makeresults count=1000
| eval state=mvindex(split("Running,Success,Wait",","),-1+floor(log(random()%1000,10)))
| eval x=random()%5
| eval value=random()%10
| where state="Running" AND value=$valuer$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$showsuccess$">
      <table>
        <search>
          <query>| makeresults count=1000
| eval state=mvindex(split("Running,Success,Wait",","),-1+floor(log(random()%1000,10)))
| eval x=random()%5
| eval value=random()%10
| where state="Success" AND value=$values$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$showwait$">
      <table>
        <search>
          <query>| makeresults count=1000
| eval state=mvindex(split("Running,Success,Wait",","),-1+floor(log(random()%1000,10)))
| eval x=random()%5
| eval value=random()%10
| where state="Wait" AND value=$valuew$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

How to see each event separately in Dashboard?

dashboard

panel

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio