Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multilevel drilldown - passing selected value to 2nd level query in downstream

jayannah
Builder
‎06-02-2014 09:23 AM

HI

I have implemented the 5 level drilldown and facing issue in getting the field value selected in the 1st chart inside 3rd, 4th, 5th drilldown search queries. Currently I have hardcoded those values in 3rd, 4th and 5th drilldown query. I'm unable to get the value selected in 1st table in 3rd drill down, values selected in 1st & 2nd inside the 4th drilldown...so on.

Please see the code snap given at the bottom. My 3rd drilldown search query is -->
index="index_tencore_1" Department="ENGG" $row.searchTerms$ | where NumOfLogins > 11 | stats count by JobTitle

Please observer that I have hardcoded Department="ENGG". Here, I want to get the value of Department from 1st table chart. $row.searchTerms$ gives me the value selected in 2nd table chart.

And my 4th drilldown search query is --> index="index_tencore_1" Department="ENGG" subgroup="GR-5" $row.searchTerms$ | where NumOfLogins > 11
Here I have hardcoded Department="ENGG" and subgroup="GR-5" which I want to get these values selected in 1st and 2nd table chart. $row.searchTerms$ gives me the value selected in 3rd table chart.

What is logic to pass the value 2+ levels down in the drilldown chart?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-02-2014 01:54 PM

This should be fairly straightforward with Splunk 6.1 <set> tags: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/PanelreferenceforSimplifiedXML#set

You basically set a global token after each drilldown that then is available to all the searches.

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎06-02-2014 03:29 PM

With the Sideview Utils Table module this is just a matter of setting the "name" param on the Table modules. By default the value of the "name" param is "row", which by the way is where the "row" in $row.searchTerms$ and $row.fields.myField$ comes from.

The problem you're having is that all five Tables end up with the same name, so they all clobber eachother's tokens. But if you specify one Table as "userRow" and another as "hostRow", then you can use $userRow.searchTerms$" and $hostRow.searchTerms$ in the same search and they wont step on eachother.

This is also written up in full detail over in this other post: http://answers.splunk.com/answers/136482/multiple-inline-drilldown

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-02-2014 01:54 PM

This should be fairly straightforward with Splunk 6.1 <set> tags: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/PanelreferenceforSimplifiedXML#set

You basically set a global token after each drilldown that then is available to all the searches.

Reply
Solved! Jump to solution

jayannah
Builder
‎06-02-2014 02:00 PM

Thanks. But, I would like to know how to do it Side View 3.x.x as the customer are using splunk 5.0.4 and no plans to upgrade sooner.

Please let me know how to achieve this in Side view ?

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...