Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to show one value on click of another value?

aditsss
Motivator
‎08-01-2023 12:20 PM

Hi Team,

I am using below query to show my two fields "Inputrecords" and OutputRecords"

index="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount

I am getting the result as below:

Records.PNG

I want on clicking of Output records these two records should get displayed "nonFinChargeAccounts" and "finChargeAccounts"

index="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount

Can someone guide me with query .

Labels (3)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 02:43 PM

Your rex command does not extract the fields that you want - please refer to the other teachings we have been trying to give you.

0 Karma
Reply

aditsss
Motivator
‎08-01-2023 07:42 PM

@ITWhisperer 

I have extracted all the fields I required :

ndex="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount

Currently I am showing in Bar chart for totalInputRecordsCount and totalOutputRecordsCount

I want on click of totalOutputRecordsCount it should show nonFinChargeAccounts and finChargeAccounts

Can you please guide here

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 10:13 PM

Your drilldown should use $click.value$ to get the value from the first column (_time) and use that to filter your search for events.

0 Karma
Reply

aditsss
Motivator
‎08-01-2023 10:15 PM

@ITWhisperer 

I don't want _time to be displayed I want $click.value$ on OutputRecordfields

Can you please guide me with the query I need to show that.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 10:18 PM

If you don't want _time displayed, remove it from the list of fields once you have filtered the search.

Please share what you currently have in your drilldown definition and panel searches.

0 Karma
Reply

aditsss
Motivator
‎08-01-2023 10:24 PM

@ITWhisperer 

My current query is this:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount 

I am showing these two totalInputRecordsCount totalOutputRecordsCount  in bar chart 

I want on click of totalOutputRecordsCount I want to show nonFinChargeAccounts and finChargeAccounts

Please guide

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 10:31 PM

The panel you are drilling down from i.e. the bar chart panel, should set the busDate token based on $click.value$ and the panel you are drilling down to should use the $busDate$ token to filter its search

0 Karma
Reply

aditsss
Motivator
‎08-01-2023 10:38 PM

@ITWhisperer 

I want on click of totalOutputRecordsCount   I need to fin charge and non fin charge

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="selected_value1">$click.value1$</set>
</drilldown>

@ITWhisperer  Can you please guide me with code here as I need to add it in panel today

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 10:43 PM

As I have told you before, the click tokens are value, name, value2 and name2. There isn't a value1. In your case, you should use value i.e.

<set token="selected_value1">$click.value$</set>

You will then have a token called $selected_value1$ which you can use in your drilled down panel to filter _time with and display just the columns you want from that search.

0 Karma
Reply

aditsss
Motivator
‎08-01-2023 11:14 PM

@ITWhisperer 

My Main panel query is below:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>
</drilldown>

Apart from that my drill down panel is as below:

<row>
<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount $selected_value1$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>
</row>

@ITWhisperer its not working please guide.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 11:23 PM

Please read very carefully what I have previously said about click tokens

Also, how do you think you could filter the results you have using the value in the selected_value1 token?

0 Karma
Reply

aditsss
Motivator
‎08-01-2023 11:34 PM

@ITWhisperer 

This is my main query:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>
</drilldown>

Now on totalOutputRecordsCount I want a drill down panel to be open and show nonFinChargeAccounts and finChargeAccounts

This is my drill down panel:

row>
<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table  nonFinChargeAccounts finChargeAccounts $selected_value$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

 

@ITWhisperer not sure how to display it.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2023 11:52 PM

Please read very carefully what I have previously said about click tokens

Also, how do you think you could filter the results you have using the value in the selected_value1 token?

To put it another way, if you wanted to change the search in the second panel so it only kept events for a specific time, how would you do that?

0 Karma
Reply

aditsss
Motivator
‎08-01-2023 11:59 PM

@ITWhisperer 

Is this drill down panel correct

<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table _time  nonFinChargeAccounts finChargeAccounts $selected_value$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

Not sure @ITWhisperer  Can you please guide me I need to show it today.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 12:05 AM

No - all you have done is add a field name to the table command - the field name you have added will be the value of the token which (when you get the drilldown sorted out) would be a time value in seconds. What I think you want to do is filter the event returned by the search so that they only include the events with a time value matching the value in the token. Is that correct?

0 Karma
Reply

aditsss
Motivator
‎08-02-2023 12:17 AM

@ITWhisperer 

In my main panel I am showing two filed in bar chart format 

totalInputRecordsCount and totalOutputRecordsCount

In my drilldown panel I want on click of totalOutputRecordsCount it should show these two fileds

nonFinChargeAccounts and finChargeAccounts along with _time (in any format table,column,bar)

I am unable to achieve this:

below is my main panel query:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value1$</set>
</drilldown>

And this is my drill down panel:

<row>
<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount $selected_value1$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

@ITWhisperer  please guide here

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 12:23 AM

Why do you keep repeating what I have already commented on without taking any notice of what I have said and suggested? If you don't understand what I have said, please clarify what it is that you don't understand and I will try to explain it in a different way. My answers are intended to guide you (as you have asked) so that you can learn how to use Splunk more effectively.

0 Karma
Reply

aditsss
Motivator
‎08-02-2023 12:36 AM

@ITWhisperer 

 

I am not understanding what I need to pass in drill down panel.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 12:41 AM

OK I'll repeat it

As I have told you before, the click tokens are value, name, value2 and name2. There isn't a value1. In your case, you should use value i.e.

<set token="selected_value1">$click.value$</set>

You will then have a token called $selected_value1$ which you can use in your drilled down panel to filter _time with and display just the columns you want from that search.

0 Karma
Reply

aditsss
Motivator
‎08-02-2023 01:54 AM

@ITWhisperer 

I tried like this . My Main panel query is this:

index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table totalInputRecordsCount totalOutputRecordsCount

<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value1">$click.value$</set>
</drilldown>

And my drill down panel query is this:

<query>index="600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"|table  nonFinChargeAccounts finChargeAccounts $selected_value1$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

@ITWhisperer its still not working for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...