Dashboards & Visualizations

Multivalve drilldown and dropdown is not working in query results

nagarajsf
Explorer

alt text

Hello, I'm trying to two drill-down options for my dashboard and in that one to select the platform and the other one is for the environment.
Let say I have platform A and B and in both of them have environment C, D, and E.

I have written as below but output in dashboard is NULL or no data found.

FYI: For a single option it is working fine and I able to see dashboard with values.

</form>
<panel id="dropdown">
          <title>Welcome, $username$!</title>
          <input type="dropdown" token="tokPlatform" searchWhenChanged="true">
            <label>Select Platform</label>
            <default>On-prem</default>
            <choice value="index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*">On-prem</choice>
            <choice value="index=alarms sourcetype=ommc_alarms MANAGER_NAME=*.corporate">Cloud-AWS</choice>
            <choice value="Null">Cloud-Azure</choice>
          </input>
          <input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
            <label>Select Environment</label>
            <default>Prod</default>
            <choice value="$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx*  OR MANAGER_NAME=prdasdp">Prod</choice>
            <choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*">Dev</choice>
            <choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*">QAT</choice>
          </input>
          <input type="time" token="field1">
            <label></label>
            <default>
              <earliest>-24h@h</earliest>
              <latest>now</latest>
            </default>
          </input>
          <html>
            </html>
        </panel>
      </row>
      <row id="row1">
        <panel depends="$alwaysHideCSS$">
          <html>
             <style>
               #countTicketPanel{
                 width:25% !important;
               }

               #ticketStatusPanel{
                 width:75% !important;
               }

               #row1{
                    border-radius: 6px;
                    font-family:"Roboto","Droid","Helvetica Neue",Helvetica,Arial,sans-serif;
                    text-decoration: none;
                    margin:auto; 
                    background-color: #ea0a8e;
                    color: #ea0a8e;
                    padding: 1px 1px 1px 1px;
                    border-top: 1px solid #CCCCCC;
                    border-right: 1px solid #333333;
                    border-bottom: 1px solid #333333;
                    border-left: 1px solid #CCCCCC;
                 position:auto; 
           }
               #row2{
                    border-radius: 6px;
                    font-family:"Roboto","Droid","Helvetica Neue",Helvetica,Arial,sans-serif;
                    text-decoration: none;
                    margin:auto; 
                    background-color: #ea0a8e;
                    color: #ea0a8e;
                    padding: 1px 1px 1px 1px;
                    border-top: 1px solid #CCCCCC;
                    border-right: 1px solid #333333;
                    border-bottom: 1px solid #333333;
                    border-left: 1px solid #CCCCCC;
                    position:auto; 
               }
              #dropdown{
                    border-radius: 6px;
                    font-size: 12px;
                    font-family:"Roboto","Droid","Helvetica Neue",Helvetica,Arial,sans-serif;
                    text-decoration: none;
                    background-color: #ea0a8e;
                    color: #ea0a8e;
                    padding: 6px 8px 6px 8px;
                    border-top: 1px solid #CCCCCC;
                    border-right: 1px solid #333333;
                    border-bottom: 1px solid #333333;
                    border-left: 1px solid #CCCCCC;
                    margin:auto; 
                    position:auto; 
                    width:800px; 
                    top:0px;
                    bottom:0px;
                    margin-left:-400px;

                  }
                #table1 .splunk-table .splunk-paginator{
                 position: absolute !important;
                 top: -2px !important;
                 padding-left: 45% !important;

                 #table2 .splunk-table .splunk-paginator{
                 position: absolute !important;
                 top: -2px !important;
                 padding-left: 45% !important;
             </style>
           </html>
        </panel>
        <panel id="ticketStatusPanel">
          <title>HDP INFRA ALERTS CHART</title>
          <chart>
            <title>ALERTS SEVERITY</title>
            <search>
            <query> $tokEnvironment$ |  eval compound_exp=AMONAME + "#" + NETWORKELEMENTCODE|timechart span=5m count(compound_exp) BY SEVERITY </query>
              <earliest>$field1.earliest$</earliest>
              <latest>$field1.latest$</latest>
              <refresh>5m</refresh>
              <refreshType>delay</refreshType>
            </search>
            <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
            <option name="charting.axisLabelsY.majorUnit">1</option>
            <option name="charting.axisTitleY.text">Count</option>
            <option name="charting.axisY.abbreviation">none</option>
            <option name="charting.axisY.minimumNumber">0</option>
            <option name="charting.axisY.scale">linear</option>
            <option name="charting.chart">column</option>
            <option name="charting.chart.showDataLabels">none</option>
            <option name="charting.chart.stackMode">default</option>
            <option name="charting.drilldown">all</option>
            <option name="charting.fieldColors">{"CRITICAL":0xFF0000,"MINOR":0xFF8000, "MAJOR":0xFF8000}</option>
            <option name="charting.layout.splitSeries">0</option>
            <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
            <option name="charting.legend.placement">bottom</option>
            <option name="refresh.display">progressbar</option>
            <option name="trellis.scales.shared">1</option>
            <option name="trellis.size">medium</option>
            <drilldown>
              <set token="clicked_earliest">$earliest$</set>
              <set token="clicked_latest">$latest$</set>
              <set token="clicked_group">$click.name2$</set>
            </drilldown>
          </chart>
        </panel>
        <panel id="countTicketPanel">
          <title>TICKET STATUS CHART</title>
          <chart>
            <title>Ticket status</title>
            <search>
              <query> $tokEnvironment$ |  eval compound_exp=AMONAME + "#" + NETWORKELEMENTCODE |timechart span=4m count(compound_exp) BY TICKET_STATUS</query>
              <earliest>-24h@h</earliest>
              <latest>now</latest>
            </search>
            <option name="charting.axisLabelsY.majorUnit">1</option>
            <option name="charting.axisTitleX.visibility">visible</option>
            <option name="charting.axisTitleY.text">Count</option>
            <option name="charting.axisTitleY.visibility">visible</option>
            <option name="charting.axisTitleY2.visibility">visible</option>
            <option name="charting.axisY.abbreviation">none</option>
            <option name="charting.axisY.minimumNumber">0</option>
            <option name="charting.axisY.scale">linear</option>
            <option name="charting.chart">column</option>
            <option name="charting.chart.showDataLabels">none</option>
            <option name="charting.chart.stackMode">default</option>
            <option name="charting.drilldown">all</option>
            <option name="charting.fieldColors">{"Assigned":0xF17BF1,"Working":0xFF8000,"Resolved":0xB3E680}</option>
            <option name="charting.legend.placement">bottom</option>
            <option name="refresh.display">preview</option>
            <option name="trellis.scales.shared">1</option>
            <option name="trellis.size">large</option>
            <drilldown>
              <set token="clicked_earliest">$earliest$</set>
              <set token="clicked_latest">$latest$</set>
              <set token="clicked_group">$click.name2$</set>
            </drilldown>
          </chart>
        </panel>
      </row>
      <row id="row2">
        <panel depends="$alwaysHideCSS$">
          <html>
             <style>
               #t1{
                 width:40% !important;
               }

               #t2{
                 width:60% !important;
               }
             </style>
           </html>
        </panel>
        <panel id="t2">
          <title>Important alerts by severity ($resultcount$)</title>
          <table id="table2">
            <search>
              <query>$tokEnvironment$ AND TICKET_STATUS!="Closed" AND  TICKET_STATUS!= "Resolved" |  eval compound_exp=AMONAME + "#" + NETWORKELEMENTCODE | rename TTID as Ticket | table Ticket,MANAGER_NAME,SEVERITY,DESCRIPTION,CREATED_DATE,TICKET_STATUS,UPDATE_DATE  | dedup Ticket | sort - SEVERITY desc</query>
              <earliest>$earliest$</earliest>
              <latest>$latest$</latest>
              <done>
                <eval token="resultcount">$job.resultCount$</eval>
              </done>
            </search>
            <option name="count">10</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="refresh.display">progressbar</option>
            <option name="rowNumbers">false</option>
            <option name="wrap">true</option>
            <format type="color" field="SEVERITY">
              <colorPalette type="map">{"CRITICAL":#DC4E41,"MINOR":#F8BE34,"MAJOR":0xFF8000}</colorPalette>
            </format>
          </table>
        </panel>
        <panel id="t1">
          <title>OPEN TICKET STATUS ($resultcount1$)</title>
          <table id="table1">
            <search>
              <done>
                <eval token="resultcount1">$job.resultCount$</eval>
              </done>
              <query> $tokEnvironment$ AND TICKET_STATUS!="Closed" AND  TICKET_STATUS!= "Resolved"  | rename TTID as Ticket | eval ot = strptime(CREATED_DATE, "%Y-%m-%d %H:%M:%S")   
              | eval ud = strptime(UPDATE_DATE, "%Y-%m-%d %H:%M:%S") 
              | eval nowstring=strftime(now(), "%Y-%m-%d %H:%M:%S") 
              | eval open_status(hr)=tostring((now() - ot), "duration" )  | eval lastactionON(hr)=tostring((now() - ud), "duration" )  
              | table Ticket,TICKET_STATUS,UPDATE_DATE, open_status(hr), lastactionON(hr) | where  TICKET_STATUS!= "Resolved" | dedup Ticket</query>
              <earliest>-24h@h</earliest>
              <latest>now</latest>
            </search>
            <option name="count">10</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="percentagesRow">false</option>
            <option name="refresh.display">progressbar</option>
            <option name="rowNumbers">false</option>
            <option name="totalsRow">false</option>
            <option name="wrap">true</option>
            <format type="color" field="TICKET_STATUS">
              <colorPalette type="map">{"Assigned":#DC4E41,"Working":#F8BE34 }</colorPalette>
            </format>
          </table>
        </panel>
      </row>
      <row>
        <panel>
          <single>
            <title>Ticket Solved</title>
            <search>
              <query> $tokEnvironment$ AND TICKET_STATUS!="Closed" AND  TICKET_STATUS!= "Resolved"  |  dedup TTID | table TICKET_STATUS |  where TICKET_STATUS = "Resolved" | stats count</query>
              <earliest>-24h@h</earliest>
              <latest>now</latest>
            </search>
            <option name="colorMode">block</option>
            <option name="drilldown">none</option>
            <option name="height">50</option>
            <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
            <option name="rangeValues">[0]</option>
            <option name="refresh.display">progressbar</option>
            <option name="useColors">1</option>
          </single>
        </panel>
      </row>
    </form>![alt text][1]
0 Karma
1 Solution

renjith_nair
Legend

@nagarajsf ,

Try changing your second input (environment) as below - setting the second token on the change event

      <input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
        <label>Select Environment</label>
        <default>Prod</default>
        <choice value="$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx*  OR MANAGER_NAME=prdasdp">Prod</choice>
        <choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*">Dev</choice>
        <choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*">QAT</choice>
        <change>
          <condition match="$label$==&quot;Prod&quot;">
            <set token="tokEnvironment">$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx*  OR MANAGER_NAME=prdasdp</set>
          </condition>
          <condition match="$label$==&quot;Dev&quot;">
            <set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*</set>
          </condition>
          <condition match="$label$==&quot;QAT&quot;">
            <set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*</set>
          </condition>          
        </change>
      </input>
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

@nagarajsf ,

Try changing your second input (environment) as below - setting the second token on the change event

      <input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
        <label>Select Environment</label>
        <default>Prod</default>
        <choice value="$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx*  OR MANAGER_NAME=prdasdp">Prod</choice>
        <choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*">Dev</choice>
        <choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*">QAT</choice>
        <change>
          <condition match="$label$==&quot;Prod&quot;">
            <set token="tokEnvironment">$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx*  OR MANAGER_NAME=prdasdp</set>
          </condition>
          <condition match="$label$==&quot;Dev&quot;">
            <set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*</set>
          </condition>
          <condition match="$label$==&quot;QAT&quot;">
            <set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*</set>
          </condition>          
        </change>
      </input>
---
What goes around comes around. If it helps, hit it with Karma 🙂

nagarajsf
Explorer

Hello @renjith.nair ,

when this token is resolving for the first time creation of dashboard, but it's acting strange if I refresh or some login dashboard, and they check, then it's not resolving as expected.

when I checked in query of the chart, I'm getting query with unsalved token

$tokPlatform$ MANAGER_NAME=prdehdp*
OR MANAGER_NAME=prdplhdpx* OR
MANAGER_NAME=prdasdp | eval
compound_exp=AMONAME + "#" +
NETWORKELEMENTCODE|timechart span=5m
count(compound_exp) BY SEVERITY

0 Karma

renjith_nair
Legend

@nagarajsf,

Can you rename this token tokEnvironment to something else ?

<input type="dropdown" token="tokEnvironment" searchWhenChanged="true"> so that it doesn't collide with other in the change event

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

nagarajsf
Explorer

Hi @renjith.nair,

I have tried with different name but still the same issue. Replaced tokEnvironment with tokEnvironment1.

0 Karma

renjith_nair
Legend

@nagarajsf, it should be done only for the input and not on the change events.
Would you mind sharing the xml you are currently using and also the steps performing when its not working ?Thanks

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

nagarajsf
Explorer

Same XML I'm using which mentioned in query. when I swapping between different environments and platforms, the dashboard is not working.

and I attached screenshots of activity which I performing on dashboard and it's not working.

alt text

alt text

0 Karma

renjith_nair
Legend

@nagarajsf,
Static token dependency is tricky . I am not able to see the screenshots, but try resetting the environment token when you are changing the platform token. By doing this, you will be able to force user to select the environment

     <input type="dropdown" token="tokPlatform" searchWhenChanged="true">
        <label>Select Platform</label>
        <default>On-prem</default>
        <choice value="index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*">On-prem</choice>
        <choice value="index=alarms sourcetype=ommc_alarms MANAGER_NAME=*.corporate.t-mobile.com">Cloud-AWS</choice>
        <choice value="Null">Cloud-Azure</choice>
        <change>
          <condition>
             <unset token="tokEnvironment"></unset>
             <unset token="form.tokEnvironment"></unset>
          </condition>
        </change>        
      </input>
      <input type="dropdown" token="tokEnvironment" searchWhenChanged="true">
        <label>Select Environment</label>
        <choice value="$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx*  OR MANAGER_NAME=prdasdp">Prod</choice>
        <choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*">Dev</choice>
        <choice value="$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*">QAT</choice>
        <change>
          <condition match="$label$==&quot;Prod&quot;">
            <set token="tokEnvironment">$tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx*  OR MANAGER_NAME=prdasdp</set>
          </condition>
          <condition match="$label$==&quot;Dev&quot;">
            <set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=dev*</set>
          </condition>
          <condition match="$label$==&quot;QAT&quot;">
            <set token="tokEnvironment">$tokPlatform$ APPLICATION=Hadoop AMONAME=QAT*</set>
          </condition>
        </change>
      </input>

Another method is to bring the actual search queries to the panels from inputs and keep only the variable part in the inputs.

For e.g. index=alarms sourcetype=ommc_alarms will be part of actual panels and substitute the rest of your search based on envs.

Suggest you to revisit the whole XML. In the current scenario, if you select On-prem and dev , your resulted search will be

index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*" APPLICATION=Hadoop AMONAME=dev*

without the proper search term precedence, you might end up in wrong results.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

nagarajsf
Explorer

Thank you, it's working now as I expected.

0 Karma

nagarajsf
Explorer

Hi @renjith.nair ,

In same XML code, this time I do see that token is resolving in search but it's not showing any data in graph or
table of the dashboard, if the same query I run in the search its throwing result.

Any suggestions?

0 Karma

renjith_nair
Legend

@nagarajsf,
Most probably its due to the extracted fields which are not available in the post process search. Try adding |fields <your field list> to your base search

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

renjith_nair
Legend

@nagarajsf,

In the xml, you are using a dropdown. What do you mean by multiple options ? Are you trying to use a multiselect instead of dropdown? If that's the case you might need to check the delimiter and how its formulating the search.

Also, is your search really starts with "Prod AND TICKET_STATUS!="Closed ...." without any index, sourcetype specification ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

nagarajsf
Explorer

And also in given XML file, the token $tokEnvironment$ is not resolving when check-in dashboard query lookup.

0 Karma

nagarajsf
Explorer

Hi @renjith.nair,

let say if I select On-prem in first dropdown, then in second dropdown, I could see any of the Prd, Dev, QAT.

base search starting with index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix* and I passing it as token $tokPlatform$ in all other places in XML.
$tokPlatform$ -- > index=alarms sourcetype=ommc_alarms APPLICATION=Hadoop OR APPLICATION=*Unix*
$tokEnvironment$ --> $tokPlatform$ MANAGER_NAME=prdehdp* OR MANAGER_NAME=prdplhdpx* OR MANAGER_NAME=prdasdp

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...