Dashboards & Visualizations

Pie chart eval in drilldown search

Engager

I have a pie chart that divides things up by severity. The query for that is:

index=os sourcetype=events host=util04 | lookup pre_organizations.csv organization |dedup _time,event_id,counter| search event_type="cleared"| stats count by severity 

When the user clicks on one of the pie slices, I'd like it to display a table of the following search:

   <drilldown>
      <link target="_blank">search?q=index=os sourcetype=events host=util04 | lookup pre_organizations.csv organization |dedup _time,event_id,counter | search event_type="cleared" severity=$click.value$| 
      eval eventTime=strftime(_time, "%Y-%m-%d %H:%M:%S")|table event_id,eventTime,severity,message
      </link>
    </drilldown>

The "eval eventTime" portion is breaking my search and I don't know how to get around this. Any ideas?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Try urlencoding your search

      <drilldown>
       <link target="_blank">/search?q=index%3Dos%20sourcetype%3Devents%20host%3Dutil04%20%7C%20lookup%20pre_organizations.csv%20organization%20%7Cdedup%20_time%2Cevent_id%2Ccounter%20%7C%20search%20event_type%3D%22cleared%22%20severity%3D%24click.value%24%7C%20%0A%20%20%20%20%20%20%20eval%20eventTime%3Dstrftime%28_time%2C%20%22%25Y-%25m-%25d%20%25H%3A%25M%3A%25S%22%29%7Ctable%20event_id%2CeventTime%2Cseverity%2Cmessage
       </link>
     </drilldown>

View solution in original post

Esteemed Legend

In situations like this I always suggest that people dig around in the Dashboard Examples App:
https://splunkbase.splunk.com/app/1603/

0 Karma

Splunk Employee
Splunk Employee

Try urlencoding your search

      <drilldown>
       <link target="_blank">/search?q=index%3Dos%20sourcetype%3Devents%20host%3Dutil04%20%7C%20lookup%20pre_organizations.csv%20organization%20%7Cdedup%20_time%2Cevent_id%2Ccounter%20%7C%20search%20event_type%3D%22cleared%22%20severity%3D%24click.value%24%7C%20%0A%20%20%20%20%20%20%20eval%20eventTime%3Dstrftime%28_time%2C%20%22%25Y-%25m-%25d%20%25H%3A%25M%3A%25S%22%29%7Ctable%20event_id%2CeventTime%2Cseverity%2Cmessage
       </link>
     </drilldown>

View solution in original post

Engager

Nice, this worked. I had to change the "%24click.value%24%" to a literal "$click.value$" in my XML but other than that change it worked. Thanks!

0 Karma