Dashboards & Visualizations

Multilevel drilldown - passing selected value to 2nd level query in downstream

jayannah
Builder

HI

I have implemented the 5 level drilldown and facing issue in getting the field value selected in the 1st chart inside 3rd, 4th, 5th drilldown search queries. Currently I have hardcoded those values in 3rd, 4th and 5th drilldown query. I'm unable to get the value selected in 1st table in 3rd drill down, values selected in 1st & 2nd inside the 4th drilldown...so on.

Please see the code snap given at the bottom. My 3rd drilldown search query is -->
index="index_tencore_1" Department="ENGG" $row.searchTerms$ | where NumOfLogins > 11 | stats count by JobTitle

Please observer that I have hardcoded Department="ENGG". Here, I want to get the value of Department from 1st table chart. $row.searchTerms$ gives me the value selected in 2nd table chart.

And my 4th drilldown search query is --> index="index_tencore_1" Department="ENGG" subgroup="GR-5" $row.searchTerms$ | where NumOfLogins > 11
Here I have hardcoded Department="ENGG" and subgroup="GR-5" which I want to get these values selected in 1st and 2nd table chart. $row.searchTerms$ gives me the value selected in 3rd table chart.

What is logic to pass the value 2+ levels down in the drilldown chart?

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

This should be fairly straightforward with Splunk 6.1 <set> tags: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/PanelreferenceforSimplifiedXML#set

You basically set a global token after each drilldown that then is available to all the searches.

View solution in original post

sideview
SplunkTrust
SplunkTrust

With the Sideview Utils Table module this is just a matter of setting the "name" param on the Table modules. By default the value of the "name" param is "row", which by the way is where the "row" in $row.searchTerms$ and $row.fields.myField$ comes from.

The problem you're having is that all five Tables end up with the same name, so they all clobber eachother's tokens. But if you specify one Table as "userRow" and another as "hostRow", then you can use $userRow.searchTerms$" and $hostRow.searchTerms$ in the same search and they wont step on eachother.

This is also written up in full detail over in this other post: http://answers.splunk.com/answers/136482/multiple-inline-drilldown

martin_mueller
SplunkTrust
SplunkTrust

This should be fairly straightforward with Splunk 6.1 <set> tags: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/PanelreferenceforSimplifiedXML#set

You basically set a global token after each drilldown that then is available to all the searches.

jayannah
Builder

Thanks. But, I would like to know how to do it Side View 3.x.x as the customer are using splunk 5.0.4 and no plans to upgrade sooner.

Please let me know how to achieve this in Side view ?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...