Solved: Re: Is it possible to use $row.fieldName$ in a dri...

Kreep · ‎03-31-2023

I'm using Classic dashboard for this.

I'm trying to use some of the results of a search beneath a Line Chart to modify a custom URL, but need to use values other than click.value, click.value2.

For example: I'd like when a user clicks on a line which is grouped by cluster (A field generated with rex), I'd like to take them to a separate page, with that cluster pre-filled in.

Everything I've read says "Just do $row.cluster$", or "$result.cluster". I thought maybe because it's a value generated with rex, that it might not work, but even things like $row.host$, which I've seen recommended in many places, but it always comes through as just "$row.host$", instead of the value of the field.

I even made a token that references $row.host$, and it translates the token to `%3Frow.host%3F` instead of filling in the actual value.

Here's a slightly trimmed down example of the line chart that is not giving me the proper custom values on drilldown (click.value/click.value2 both work, for what it's worth, but *only* those two):

<search>
<query>index="*" sourcetype="infra_memory" 
| regex host=".*?bar.*?" 
| rex <insert convoluted 'cluster' regex here>
| rex field=host "[^0-9]*(?&lt;stack_num&gt;[0-9]+)-"
| eval memory_usage = ((total-available)/total*100) 
| bucket _time span=1hour 
| chart p99(memory_usage) by _time, cluster</query>
</search>
<drilldown>
<set token="TEST">$row.host$</set>
<link target="_blank">/test:$TEST$-$row.TEST$,$tkn.TEST$/rowstuff:$row.stack_num$,$row.host$,$row.cluster$-clickstuff:$click.value$,$click.value2$,$click.host$-result:$result.sourcetype$,$result.host$</link>
</drilldown>

(As you can see, I've tried a bunch of different things, in a desperate attempt to find anything that works)

Is what I'm trying to do possible?

Kreep · ‎04-11-2023

It's not ideal, but I ended up resolving the issue by taking all the info crammed into $click.name2$, and splitting it and stitching back it together in the link section using tokens.

In case anybody stumbles across this down the road, here's how it ended up looking:


<query>index="*prd-infra" sourcetype="infra_cpu" 
| rex field=host "(?&lt;cust&gt;[^-]+)-(?&lt;env&gt;[^-]+)-(?&lt;inst&gt;[^-]+)-(?&lt;app&gt;[^-]+)-(?&lt;node&gt;[^0-9]+)-\d+" 
| rex field=host "[^0-9]*(?&lt;stack_num&gt;[0-9]+)-"
| strcat cust "/" env "/" inst "/" app"/" node cluster
| eval cpu_usage = (100-pctIdle) 
| bucket _time span=1hour 
| chart p99(cpu_usage) as usage by _time, cluster</query>

<drilldown>
  <eval token="cust">mvindex(split($cluster$,"/"),0)</eval>
  <eval token="env">mvindex(split($cluster$,"/"),1)</eval>
  <eval token="inst">mvindex(split($cluster$,"/"),2)</eval>
  <eval token="app">mvindex(split($cluster$,"/"),3)</eval>
  <eval token="node">mvindex(split($cluster$,"/"),4)</eval>
  <link target="_blank">... cluster=$cust$-$env$-$inst$-$app$&amp; ...</link>
</drilldown>

I appreciate all the help in trying to troubleshoot this!

View solution in original post

Kreep · ‎04-11-2023

It's not ideal, but I ended up resolving the issue by taking all the info crammed into $click.name2$, and splitting it and stitching back it together in the link section using tokens.

In case anybody stumbles across this down the road, here's how it ended up looking:


<query>index="*prd-infra" sourcetype="infra_cpu" 
| rex field=host "(?&lt;cust&gt;[^-]+)-(?&lt;env&gt;[^-]+)-(?&lt;inst&gt;[^-]+)-(?&lt;app&gt;[^-]+)-(?&lt;node&gt;[^0-9]+)-\d+" 
| rex field=host "[^0-9]*(?&lt;stack_num&gt;[0-9]+)-"
| strcat cust "/" env "/" inst "/" app"/" node cluster
| eval cpu_usage = (100-pctIdle) 
| bucket _time span=1hour 
| chart p99(cpu_usage) as usage by _time, cluster</query>

<drilldown>
  <eval token="cust">mvindex(split($cluster$,"/"),0)</eval>
  <eval token="env">mvindex(split($cluster$,"/"),1)</eval>
  <eval token="inst">mvindex(split($cluster$,"/"),2)</eval>
  <eval token="app">mvindex(split($cluster$,"/"),3)</eval>
  <eval token="node">mvindex(split($cluster$,"/"),4)</eval>
  <link target="_blank">... cluster=$cust$-$env$-$inst$-$app$&amp; ...</link>
</drilldown>

I appreciate all the help in trying to troubleshoot this!

richgalloway · ‎03-31-2023

The $row.field$ construct only works if field exists; otherwise, you get the token as literal text.

In the example, the chart command has discarded all fields except 'p99(memory_usage)', _time, and cluster so those are the only fields can be passed in a drilldown.

---
If this reply helps you, Karma would be appreciated.

Kreep · ‎04-03-2023

Interesting, so I've now set my token/drilldown stuff to the following to test those specific fieldnames:

<drilldown>
  <set token="TEST">$row.cluster$</set>
  <link target="_blank">/token:$TEST$/row:$row.cluster$,etc:$row.p99(cpu_usage)$-$row.cpu_usage$-$row._time$</link>
</drilldown>

And the resulting URL ends with the following:

/token:%24row.cluster%24/row:$row.cluster$,etc:$row.p99(cpu_usage)$-$row.cpu_usage$-1680526800.000

Somehow, it's still ignoring everything but _time, and I can't figure out why.

richgalloway · ‎04-03-2023

I just now realized you're using a chart rather than a table, but the $row.field$ convention should still work. This table shows the tokens available from a chart.

I wonder if it might help to rename the p99 result and use the new name in a token.

| chart p99(memory_usage) as p99 by _time, cluster</query>

Token	Description
$click.name$	X-axis field or category name for the clicked location. Not available if the user clicks the chart legend.
$click.value$	X-axis field or category value for the clicked location. Not available if the user clicks the chart legend.
$click.name2$	Y-axis field or series name for the clicked location. Not available if the user clicks the chart legend.
$click.value2$	Y-axis field or series value for the clicked location. Not available if the user clicks the chart legend.
$row.<fieldname>$	Access any y-axis field value corresponding to the clicked location x-axis. Not available if the user clicks the chart legend.
$row.<x-axis-name>$	Access any x-axis field value corresponding to the clicked location. Not available if the user clicks the chart legend.
$earliest$	Earliest time for the clicked chart segment. If not applicable, uses the earliest time for the search.

---
If this reply helps you, Karma would be appreciated.

Kreep · ‎04-04-2023

Now using:

<search>
  <query>index="*" sourcetype="infra_cpu" 
    | regex host=".*bar.*"
    | rex <insert convoluted 'cluster' regex here>
    | rex field=host "[^0-9]*(?&lt;stack_num&gt;[0-9]+)-"
    | eval cpu_usage = (100-pctIdle) 
    | bucket _time span=1hour 
    | chart p99(cpu_usage) as usage by _time, cluster</query>
  <earliest>-24h@h</earliest>
  <latest>now</latest>
  <sampleRatio>1</sampleRatio>
</search>
<drilldown>
  <set token="TEST">$row.usage$</set>
  <link target="_blank">/ $row.cluster$ - $row.usage$ - $TEST$</link>
</drilldown>

Still, the only thing that yields any results at all are $click.____$ values.

I don't know if it's relevant, but this is on Splunk 8.2.9, could there be a bug of some sort, or am I just misusing drilldowns?

richgalloway · ‎04-04-2023

I don't know what else to suggest. Perhaps the $row.field$ construct doesn't work with the chart type you're using.

---
If this reply helps you, Karma would be appreciated.

Is it possible to use $row.fieldName$ in a drilldown custom URL?

dashboard

drilldown

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...