Dashboards & Visualizations

How to show one value on click of another value?


Hi Team,

I am using below query to show my two fields "Inputrecords" and OutputRecords"

index="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount

I am getting the result as below:


I want on clicking of Output records these two records should get displayed "nonFinChargeAccounts" and "finChargeAccounts"

index="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount

Can someone guide me with query .

Your rex command does not extract the fields that you want - please refer to the other teachings we have been trying to give you.

I have extracted all the fields I required :

ndex="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount

Currently I am showing in Bar chart for totalInputRecordsCount and totalOutputRecordsCount

I want on click of totalOutputRecordsCount it should show nonFinChargeAccounts and finChargeAccounts

Can you please guide here

Your drilldown should use $click.value$ to get the value from the first column (_time) and use that to filter your search for events.

I don't want _time to be displayed I want $click.value$ on OutputRecordfields

Can you please guide me with the query I need to show that.

If you don't want _time displayed, remove it from the list of fields once you have filtered the search.

Please share what you currently have in your drilldown definition and panel searches.

My current query is this:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount 

I am showing these two totalInputRecordsCount totalOutputRecordsCount  in bar chart 

I want on click of totalOutputRecordsCount I want to show nonFinChargeAccounts and finChargeAccounts

Please guide


The panel you are drilling down from i.e. the bar chart panel, should set the busDate token based on $click.value$ and the panel you are drilling down to should use the $busDate$ token to filter its search

I want on click of totalOutputRecordsCount   I need to fin charge and non fin charge

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<set token="selected_value1">$click.value1$</set>

@ITWhisperer  Can you please guide me with code here as I need to add it in panel today

As I have told you before, the click tokens are value, name, value2 and name2. There isn't a value1. In your case, you should use value i.e.

<set token="selected_value1">$click.value$</set>

You will then have a token called $selected_value1$ which you can use in your drilled down panel to filter _time with and display just the columns you want from that search.

My Main panel query is below:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>

Apart from that my drill down panel is as below:

<panel depends="$show_panel$">
<title>Caller Details</title>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount $selected_value1$ </query>
<option name="count">100</option>

@ITWhisperer its not working please guide.

Please read very carefully what I have previously said about click tokens

Also, how do you think you could filter the results you have using the value in the selected_value1 token?

This is my main query:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>

Now on totalOutputRecordsCount I want a drill down panel to be open and show nonFinChargeAccounts and finChargeAccounts

This is my drill down panel:

<panel depends="$show_panel$">
<title>Caller Details</title>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table  nonFinChargeAccounts finChargeAccounts $selected_value$ </query>
<option name="count">100</option>


@ITWhisperer not sure how to display it.

Please read very carefully what I have previously said about click tokens

Also, how do you think you could filter the results you have using the value in the selected_value1 token?

To put it another way, if you wanted to change the search in the second panel so it only kept events for a specific time, how would you do that?

Is this drill down panel correct

<panel depends="$show_panel$">
<title>Caller Details</title>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table _time  nonFinChargeAccounts finChargeAccounts $selected_value$ </query>
<option name="count">100</option>

Not sure @ITWhisperer  Can you please guide me I need to show it today.

No - all you have done is add a field name to the table command - the field name you have added will be the value of the token which (when you get the drilldown sorted out) would be a time value in seconds. What I think you want to do is filter the event returned by the search so that they only include the events with a time value matching the value in the token. Is that correct?

In my main panel I am showing two filed in bar chart format 

totalInputRecordsCount and totalOutputRecordsCount

In my drilldown panel I want on click of totalOutputRecordsCount it should show these two fileds

nonFinChargeAccounts and finChargeAccounts along with _time (in any format table,column,bar)

I am unable to achieve this:

below is my main panel query:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>

And this is my drill down panel:

<panel depends="$show_panel$">
<title>Caller Details</title>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount $selected_value1$ </query>
<option name="count">100</option>

@ITWhisperer  please guide here

Why do you keep repeating what I have already commented on without taking any notice of what I have said and suggested? If you don't understand what I have said, please clarify what it is that you don't understand and I will try to explain it in a different way. My answers are intended to guide you (as you have asked) so that you can learn how to use Splunk more effectively.

I am not understanding what I need to pass in drill down panel.

OK I'll repeat it

As I have told you before, the click tokens are value, name, value2 and name2. There isn't a value1. In your case, you should use value i.e.

<set token="selected_value1">$click.value$</set>

You will then have a token called $selected_value1$ which you can use in your drilled down panel to filter _time with and display just the columns you want from that search.

I tried like this . My Main panel query is this:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value$</set>

And my drill down panel query is this:

<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table  nonFinChargeAccounts finChargeAccounts $selected_value1$ </query>
<option name="count">100</option>

@ITWhisperer its still not working for me.

