I'm using Classic dashboard for this.
I'm trying to use some of the results of a search beneath a Line Chart to modify a custom URL, but need to use values other than click.value, click.value2.
For example: I'd like when a user clicks on a line which is grouped by cluster (A field generated with rex), I'd like to take them to a separate page, with that cluster pre-filled in.
Everything I've read says "Just do $row.cluster$", or "$result.cluster". I thought maybe because it's a value generated with rex, that it might not work, but even things like $row.host$, which I've seen recommended in many places, but it always comes through as just "$row.host$", instead of the value of the field.
I even made a token that references $row.host$, and it translates the token to `%3Frow.host%3F` instead of filling in the actual value.
Here's a slightly trimmed down example of the line chart that is not giving me the proper custom values on drilldown (click.value/click.value2 both work, for what it's worth, but *only* those two):
<search>
<query>index="*" sourcetype="infra_memory"
| regex host=".*?bar.*?"
| rex <insert convoluted 'cluster' regex here>
| rex field=host "[^0-9]*(?<stack_num>[0-9]+)-"
| eval memory_usage = ((total-available)/total*100)
| bucket _time span=1hour
| chart p99(memory_usage) by _time, cluster</query>
</search>
<drilldown>
<set token="TEST">$row.host$</set>
<link target="_blank">/test:$TEST$-$row.TEST$,$tkn.TEST$/rowstuff:$row.stack_num$,$row.host$,$row.cluster$-clickstuff:$click.value$,$click.value2$,$click.host$-result:$result.sourcetype$,$result.host$</link>
</drilldown>
(As you can see, I've tried a bunch of different things, in a desperate attempt to find anything that works)
Is what I'm trying to do possible?
It's not ideal, but I ended up resolving the issue by taking all the info crammed into $click.name2$, and splitting it and stitching back it together in the link section using tokens.
In case anybody stumbles across this down the road, here's how it ended up looking:
<query>index="*prd-infra" sourcetype="infra_cpu"
| rex field=host "(?<cust>[^-]+)-(?<env>[^-]+)-(?<inst>[^-]+)-(?<app>[^-]+)-(?<node>[^0-9]+)-\d+"
| rex field=host "[^0-9]*(?<stack_num>[0-9]+)-"
| strcat cust "/" env "/" inst "/" app"/" node cluster
| eval cpu_usage = (100-pctIdle)
| bucket _time span=1hour
| chart p99(cpu_usage) as usage by _time, cluster</query>
<drilldown>
<eval token="cust">mvindex(split($cluster$,"/"),0)</eval>
<eval token="env">mvindex(split($cluster$,"/"),1)</eval>
<eval token="inst">mvindex(split($cluster$,"/"),2)</eval>
<eval token="app">mvindex(split($cluster$,"/"),3)</eval>
<eval token="node">mvindex(split($cluster$,"/"),4)</eval>
<link target="_blank">... cluster=$cust$-$env$-$inst$-$app$& ...</link>
</drilldown>
I appreciate all the help in trying to troubleshoot this!
It's not ideal, but I ended up resolving the issue by taking all the info crammed into $click.name2$, and splitting it and stitching back it together in the link section using tokens.
In case anybody stumbles across this down the road, here's how it ended up looking:
<query>index="*prd-infra" sourcetype="infra_cpu"
| rex field=host "(?<cust>[^-]+)-(?<env>[^-]+)-(?<inst>[^-]+)-(?<app>[^-]+)-(?<node>[^0-9]+)-\d+"
| rex field=host "[^0-9]*(?<stack_num>[0-9]+)-"
| strcat cust "/" env "/" inst "/" app"/" node cluster
| eval cpu_usage = (100-pctIdle)
| bucket _time span=1hour
| chart p99(cpu_usage) as usage by _time, cluster</query>
<drilldown>
<eval token="cust">mvindex(split($cluster$,"/"),0)</eval>
<eval token="env">mvindex(split($cluster$,"/"),1)</eval>
<eval token="inst">mvindex(split($cluster$,"/"),2)</eval>
<eval token="app">mvindex(split($cluster$,"/"),3)</eval>
<eval token="node">mvindex(split($cluster$,"/"),4)</eval>
<link target="_blank">... cluster=$cust$-$env$-$inst$-$app$& ...</link>
</drilldown>
I appreciate all the help in trying to troubleshoot this!
The $row.field$ construct only works if field exists; otherwise, you get the token as literal text.
In the example, the chart command has discarded all fields except 'p99(memory_usage)', _time, and cluster so those are the only fields can be passed in a drilldown.
Interesting, so I've now set my token/drilldown stuff to the following to test those specific fieldnames:
<drilldown>
<set token="TEST">$row.cluster$</set>
<link target="_blank">/token:$TEST$/row:$row.cluster$,etc:$row.p99(cpu_usage)$-$row.cpu_usage$-$row._time$</link>
</drilldown>
And the resulting URL ends with the following:
/token:%24row.cluster%24/row:$row.cluster$,etc:$row.p99(cpu_usage)$-$row.cpu_usage$-1680526800.000
Somehow, it's still ignoring everything but _time, and I can't figure out why.
I just now realized you're using a chart rather than a table, but the $row.field$ convention should still work. This table shows the tokens available from a chart.
I wonder if it might help to rename the p99 result and use the new name in a token.
| chart p99(memory_usage) as p99 by _time, cluster</query>
Token | Description
|
$click.name$ | X-axis field or category name for the clicked location. Not available if the user clicks the chart legend.
|
$click.value$ | X-axis field or category value for the clicked location. Not available if the user clicks the chart legend.
|
$click.name2$ | Y-axis field or series name for the clicked location. Not available if the user clicks the chart legend.
|
$click.value2$ | Y-axis field or series value for the clicked location. Not available if the user clicks the chart legend.
|
$row.<fieldname>$ | Access any y-axis field value corresponding to the clicked location x-axis. Not available if the user clicks the chart legend.
|
$row.<x-axis-name>$ | Access any x-axis field value corresponding to the clicked location. Not available if the user clicks the chart legend.
|
$earliest$ | Earliest time for the clicked chart segment. If not applicable, uses the earliest time for the search. |
Now using:
<search>
<query>index="*" sourcetype="infra_cpu"
| regex host=".*bar.*"
| rex <insert convoluted 'cluster' regex here>
| rex field=host "[^0-9]*(?<stack_num>[0-9]+)-"
| eval cpu_usage = (100-pctIdle)
| bucket _time span=1hour
| chart p99(cpu_usage) as usage by _time, cluster</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<drilldown>
<set token="TEST">$row.usage$</set>
<link target="_blank">/ $row.cluster$ - $row.usage$ - $TEST$</link>
</drilldown>
Still, the only thing that yields any results at all are $click.____$ values.
I don't know if it's relevant, but this is on Splunk 8.2.9, could there be a bug of some sort, or am I just misusing drilldowns?
I don't know what else to suggest. Perhaps the $row.field$ construct doesn't work with the chart type you're using.