Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to view logs in a pie chart in each individual slice?

navd
New Member
‎02-05-2018 10:47 AM

HI,
I have created a pie chart which has 3 different pie slices, so My question is if I click on each individual pie slice I want to open its respective logs, is that possible? and how?

0 Karma
Reply

mayurr98
Super Champion
‎02-06-2018 12:01 AM

hey
1) If you want to drill-down to a new search window then you can try this run anywhere XML

<form>
  <label>Drilldown-to-search</label>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>TimePicker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_audit | stats count by action</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">all</option>
        <drilldown>
          <link target="_blank">search?q=index=_audit action="$row.action$"&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</form>

2) If you want drill-down to show the logs in the same dashboard in the form of table then try this run anywhere XML

<form>
  <label>Drilldown-to-search</label>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>TimePicker</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_audit | stats count by action</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">all</option>
        <drilldown>
          <set token="action">$click.value$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>raw logs for $action$</title>
        <search>
          <query>index=_audit action="$action$"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>

let me know if this helps!

0 Karma
Reply

493669
Super Champion
‎02-05-2018 10:46 PM

Try this:

<option name="charting.drilldown">all</option>
<drilldown>
          <set token="sourcetype_tok">$click.value$</set>
</drilldown>

Use this token $sourcetype_tok$ in your query
Try this run anywhere search:

<dashboard>
  <label>PieChartLabelName</label>
  <row>
    <panel>
      <chart id="myPieChart">
        <search>
          <query> index=_internal | stats count by log_level </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
         <option name="charting.drilldown">all</option>
        <drilldown>

            <set token="sourcetype_tok">$click.value$</set>

       </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel depends="$sourcetype_tok$">
      <table>
        <title>$sourcetype_tok$</title>
        <search>
          <query> index=_internal log_level="$sourcetype_tok$"| stats count by log_level </query>
          <earliest>-1h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
      </panel>
    </row>
</dashboard>
0 Karma
Reply

lguinn2
Legend
‎02-05-2018 12:40 PM

By default, clicking on a chart will open a browser tab that displays the underlying events.
If that is not what you want, you can customize the drill-down behavior by adding the chart to a dashboard. Within a dashboard, there are a number of ways that you can customize.

The Splunk Dashboards Example app is free and shows excellent examples of drill-downs. I would install this app on a test machine or your personal copy of Splunk. It won't hurt anything, but it really doesn't belong in your production environment. You can download it here http://splunkbase.splunk.com/app/1603/

If you prefer to read the manual, the section on drill-downs appears here
http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro

0 Karma
Reply
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...