Solved: Refresh search in panel with chart click

vikas · ‎06-28-2021

Hi,

I have a dashboard setup consisting of :

1 - timepicker

2 - chart disaplying count from a search

3 - a panel (table) disaplying search results

How can I refresh the search results by clicking on the chart? Say, I click on 3 in the chart and panel below the chart named Errors will display search results for that specific time period ( in this case the panel will populate 3 errors)?

kamlesh_vaghela · ‎06-28-2021

@vikas

Can you please try this?

<form theme="light">
  <label>ERROR STATISTICS</label>
  <description>FROM LOGS</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="tkn_search" searchWhenChanged="true">
      <label>Select Time Range</label>
      <default>
        <earliest>-12h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt) | timechart count</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>

        <drilldown>
          <set token="tkn_ch_name">$click.name$</set>
          <set token="tkn_ch_value">$click.value$</set>
          <set token="tkn_ch_name2">$click.name2$</set>
          <set token="tkn_ch_value2">$click.value2$</set>
          <eval token="drilldown.earliest">$earliest$</eval>
          <eval token="drilldown.latest">$latest$</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>Errors</title>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt)</query>
          <earliest>$drilldown.earliest$</earliest>
          <latest>$drilldown.latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎06-28-2021

@vikas

Can you please try this XML?

<dashboard>
  <label>Drilldown panels</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal | timechart span=10m useother=f count by sourcetype where max in top4</query>
          <earliest>-4h@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">all</option>
        <drilldown>
          <set token="click_name">$click.name$</set>
          <set token="click_value">$click.value$</set>
          <set token="click_name2">$click.name2$</set>
          <set token="click_value2">$click.value2$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | eval click_name="$click_name$", click_value="$click_value$", click_name2="$click_name2$", click_value2="$click_value2$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <html>
        click_name : $click_name$ <br/>
        click_value : $click_value$ <br/>
        click_name2 : $click_name2$ <br/>
        click_value2 : $click_value2$ <br/>
      </html>
    </panel>
  </row>
</dashboard>

You can find the token set on click of line chart. You can use those token to refresh other panels.

Please go through XML for same.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

vikas · ‎06-28-2021

@kamlesh_vaghela So, I tried your xml with below one that I have but it isn't working. What should be the expected query at line 67 of below xml:

 <form theme="light">
  <label>ERROR STATISTICS</label>
  <description>FROM LOGS</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="tkn_search" searchWhenChanged="true">
      <label>Select Time Range</label>
      <default>
        <earliest>-12h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt) | timechart count</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>

        <drilldown>
          <set token="tkn_ch_name">$click.name$</set>
          <set token="tkn_ch_value">$click.value$</set>
          <set token="tkn_ch_name2">$click.name2$</set>
          <set token="tkn_ch_value2">$click.value2$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>Errors</title>
        <search>
          <query>? What should be the query here?</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

kamlesh_vaghela · ‎06-28-2021

@vikas

Can you please try this?

<form theme="light">
  <label>ERROR STATISTICS</label>
  <description>FROM LOGS</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="tkn_search" searchWhenChanged="true">
      <label>Select Time Range</label>
      <default>
        <earliest>-12h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt) | timechart count</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>

        <drilldown>
          <set token="tkn_ch_name">$click.name$</set>
          <set token="tkn_ch_value">$click.value$</set>
          <set token="tkn_ch_name2">$click.name2$</set>
          <set token="tkn_ch_value2">$click.value2$</set>
          <eval token="drilldown.earliest">$earliest$</eval>
          <eval token="drilldown.latest">$latest$</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>Errors</title>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt)</query>
          <earliest>$drilldown.earliest$</earliest>
          <latest>$drilldown.latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ITWhisperer · ‎06-28-2021

Hover over the bottom right of the chart and click the refresh icon

vikas · ‎06-28-2021

i edited my query. I want to click on numbers on the chart and update the panel below the chart with the search results.

Refresh search in panel with chart click

chart

Dashboard Studio

panel

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases