Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show the raw data on clicking of a value

aditsss
Motivator
‎10-05-2020 04:03 AM

Hi Everyone,

I have one requirement . Below is my search query for my failed RID's

index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"|rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)"
| eval count=1
| table RID, sourceagent, count | rename sourceagent as "Source".

I am getting like below:

RID Source count

f56bce02-750d-451c-a341-4769d7518f2cof1-team_b1
c09b64eb-45c3-4fcb-9deb-81faa3d5c98bof1-team_b1

 

I want when I click in the first row it should show the raw logs for failed RID's and that panel should be hidden It should be only show when we click on particular rows which we want to see.

Below are my raw logs  for 1st failed RID:

020-10-01T09:20:57.829079909Z app_name=api environment=e3 ns=c2 pod_container=api pod_name=bhhf5 message=2020-10-01 02:20:57.826 ERROR [service,,,] 1 --- [or-http-epoll-3] c.a.b.a.c.s.impl.SFCallbackService : RID:f56bce02-750d-451c-a341-4769d7518f2c-of1-team_b-ivurtupload EL:1601: ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF Reason:404 Not Found: [[ {

Can someone guide me how can I achieve that?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:53 AM 
<set token="selected_value">$click.value2$</set>
<query>index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF" $selected_value$
</query>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 04:24 AM

Your "hidden" panel should have a query based on a token (the RID you want to search for). The first panel then need a drilldown which sets the token with the value from the RID column for the row that is clicked. It should also set the token that the hidden panel depends on (this could possibly be the same token).

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎10-05-2020 04:27 AM

@ITWhisperer 

Thank you so much for suggestion. 

Can you please provide me with the query if possible. It would be a great help.

I just want to display the raw data on clicking of RID's so that we get the detailed failed description.

Thanks in advance.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 04:32 AM 
index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"|rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)"
| where RID=$ridTokenSetByDrilldown$
0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎10-05-2020 05:22 AM

@ITWhisperer 

I have tried with below code but not working where I have gone wrong.

<dashboard>
<label>jkt</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=ABC ns=xyz app_name=abc"ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"| rex "RID:(?&lt;RID&gt;(\w+-){4}\w+)-(?&lt;sourceagent&gt;\w+-\w+)"
| eval count=1
| table RID, sourceagent count| rename sourceagent as "Source"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value">$ridTokenSetByDrilldown$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$show_panel$">
<table>
<title>Caller Details</title>
<search>
<query>index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"|rex "RID:(?&lt;RID&gt;(\w+-){4}\w+)-(?&lt;sourceagent&gt;\w+-\w+)" $selected_value$
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>
</row>
</dashboard>

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:53 AM 
<set token="selected_value">$click.value2$</set>
<query>index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF" $selected_value$
</query>
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...