Dashboards & Visualizations

Refresh search in panel with chart click

vikas
Explorer

Hi,

I have a dashboard setup consisting of :

1 - timepicker

2 - chart disaplying count from a search

3 - a panel (table) disaplying search results

image.png

image.png

How can I refresh the search results by clicking on the chart? Say, I click on 3 in the chart and panel below the chart named Errors will display search results for that specific time period ( in this case the panel will populate 3 errors)? 

Labels (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vikas 

Can you please try this?

<form theme="light">
  <label>ERROR STATISTICS</label>
  <description>FROM LOGS</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="tkn_search" searchWhenChanged="true">
      <label>Select Time Range</label>
      <default>
        <earliest>-12h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt) | timechart count</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>

        <drilldown>
          <set token="tkn_ch_name">$click.name$</set>
          <set token="tkn_ch_value">$click.value$</set>
          <set token="tkn_ch_name2">$click.name2$</set>
          <set token="tkn_ch_value2">$click.value2$</set>
          <eval token="drilldown.earliest">$earliest$</eval>
          <eval token="drilldown.latest">$latest$</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>Errors</title>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt)</query>
          <earliest>$drilldown.earliest$</earliest>
          <latest>$drilldown.latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vikas 

Can you please try this XML?

<dashboard>
  <label>Drilldown panels</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal | timechart span=10m useother=f count by sourcetype where max in top4</query>
          <earliest>-4h@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">all</option>
        <drilldown>
          <set token="click_name">$click.name$</set>
          <set token="click_value">$click.value$</set>
          <set token="click_name2">$click.name2$</set>
          <set token="click_value2">$click.value2$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | eval click_name="$click_name$", click_value="$click_value$", click_name2="$click_name2$", click_value2="$click_value2$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <html>
        click_name : $click_name$ <br/>
        click_value : $click_value$ <br/>
        click_name2 : $click_name2$ <br/>
        click_value2 : $click_value2$ <br/>
      </html>
    </panel>
  </row>
</dashboard>

 

You can find the token set on click of line chart. You can use those token to refresh other panels. 

Please go through XML for same.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

vikas
Explorer

@kamlesh_vaghela So, I tried your xml with below one that I have but it isn't working. What should be the expected query at line 67 of below xml:

 

 <form theme="light">
  <label>ERROR STATISTICS</label>
  <description>FROM LOGS</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="tkn_search" searchWhenChanged="true">
      <label>Select Time Range</label>
      <default>
        <earliest>-12h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt) | timechart count</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>

        <drilldown>
          <set token="tkn_ch_name">$click.name$</set>
          <set token="tkn_ch_value">$click.value$</set>
          <set token="tkn_ch_name2">$click.name2$</set>
          <set token="tkn_ch_value2">$click.value2$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>Errors</title>
        <search>
          <query>? What should be the query here?</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

 

 

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vikas 

Can you please try this?

<form theme="light">
  <label>ERROR STATISTICS</label>
  <description>FROM LOGS</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="time" token="tkn_search" searchWhenChanged="true">
      <label>Select Time Range</label>
      <default>
        <earliest>-12h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt) | timechart count</query>
          <earliest>$tkn_search.earliest$</earliest>
          <latest>$tkn_search.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>

        <drilldown>
          <set token="tkn_ch_name">$click.name$</set>
          <set token="tkn_ch_value">$click.value$</set>
          <set token="tkn_ch_name2">$click.name2$</set>
          <set token="tkn_ch_value2">$click.value2$</set>
          <eval token="drilldown.earliest">$earliest$</eval>
          <eval token="drilldown.latest">$latest$</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>Errors</title>
        <search>
          <query>index="_internal" source="/app/splunkforwarder/var/log/splunk/splunkd_stderr.log" (Interrupt)</query>
          <earliest>$drilldown.earliest$</earliest>
          <latest>$drilldown.latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

ITWhisperer
Legend

Hover over the bottom right of the chart and click the refresh icon

ITWhisperer_0-1624888156580.png

 

0 Karma

vikas
Explorer

i edited my query. I want to click on numbers on the chart and update the panel below the chart with the search results.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!