Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show the raw data on clicking of a value

aditsss
Motivator
‎10-05-2020 04:03 AM

Hi Everyone,

I have one requirement . Below is my search query for my failed RID's

index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"|rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)"
| eval count=1
| table RID, sourceagent, count | rename sourceagent as "Source".

I am getting like below:

RID Source count

f56bce02-750d-451c-a341-4769d7518f2cof1-team_b1
c09b64eb-45c3-4fcb-9deb-81faa3d5c98bof1-team_b1

 

I want when I click in the first row it should show the raw logs for failed RID's and that panel should be hidden It should be only show when we click on particular rows which we want to see.

Below are my raw logs  for 1st failed RID:

020-10-01T09:20:57.829079909Z app_name=api environment=e3 ns=c2 pod_container=api pod_name=bhhf5 message=2020-10-01 02:20:57.826 ERROR [service,,,] 1 --- [or-http-epoll-3] c.a.b.a.c.s.impl.SFCallbackService : RID:f56bce02-750d-451c-a341-4769d7518f2c-of1-team_b-ivurtupload EL:1601: ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF Reason:404 Not Found: [[ {

Can someone guide me how can I achieve that?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:53 AM 
<set token="selected_value">$click.value2$</set>
<query>index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF" $selected_value$
</query>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 04:24 AM

Your "hidden" panel should have a query based on a token (the RID you want to search for). The first panel then need a drilldown which sets the token with the value from the RID column for the row that is clicked. It should also set the token that the hidden panel depends on (this could possibly be the same token).

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎10-05-2020 04:27 AM

@ITWhisperer 

Thank you so much for suggestion. 

Can you please provide me with the query if possible. It would be a great help.

I just want to display the raw data on clicking of RID's so that we get the detailed failed description.

Thanks in advance.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 04:32 AM 
index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"|rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)"
| where RID=$ridTokenSetByDrilldown$
0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎10-05-2020 05:22 AM

@ITWhisperer 

I have tried with below code but not working where I have gone wrong.

<dashboard>
<label>jkt</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=ABC ns=xyz app_name=abc"ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"| rex "RID:(?&lt;RID&gt;(\w+-){4}\w+)-(?&lt;sourceagent&gt;\w+-\w+)"
| eval count=1
| table RID, sourceagent count| rename sourceagent as "Source"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value">$ridTokenSetByDrilldown$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"|rex "RID:(?&lt;RID&gt;(\w+-){4}\w+)-(?&lt;sourceagent&gt;\w+-\w+)" $selected_value$
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>
</row>
</dashboard>

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:53 AM 
<set token="selected_value">$click.value2$</set>
<query>index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF" $selected_value$
</query>
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...