Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search different results with token

marco_massari11
Communicator
‎11-17-2020 08:42 AM

Hi,

I have a query like this:

index=.... hostname=* 
| eval field1=if(x="y",1,0)
| eval field2=if(x="z",1,0)
| stats sum(field1) as "field1" sum(field2) as "field2" by hostname

The result is a column chart in which I have 2 columns for each hostname that represent the count of filed1 and field2. If I click on a bar (for example filed1 for an hostname), I want to open another custom dashboard that shows other details like ip,.... But in this second dashboard I don't have only the results for field1, but also filed2. I know I need a token to filter the result, but I don't know how. Can anyone help me?

Thanks in advance

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-17-2020 01:27 PM

Run anywhere example:

  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd | eval field1=if(group="tcpin_connections",1,0) | eval field2=if(group="tcpout_connections",1,0) | stats sum(field1) as tcpin_connections sum(field2) as tcpout_connections by log_level</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisY.abbreviation">auto</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.legend.placement">top</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="showcounts">true</set>
          <set token="showloglevel">$click.value$</set>
          <set token="showgroup">$click.name2$</set>
        </drilldown>
      </chart>
    </panel>
    <panel depends="$showcounts$">
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=$showloglevel$ group=$showgroup$ | stats count by component</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisY.abbreviation">auto</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">top</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>

For your case, you could change the first query to

          <query>index=.... hostname=* 
| eval field1=if(x="y",1,0)
| eval field2=if(x="z",1,0)
| stats sum(field1) as y sum(field2) as z by hostname</query>

with perhaps tokens showhost and showx

 and the second query to

          <query>index=.... hostname=$showhost$ x=$showx$ ...</query>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

t_shreya
Path Finder
‎11-18-2020 03:33 AM

@marco_massari11 , I'm not sure if I got the question completely correct.
But in case, you require only the results of the bar you clicked on, then you can retrieve the name of the field using :

<set token="clicked_field">$click.name2$</set>

 and use the token $clicked_field$ to filter results in the query of the other dashboard.

0 Karma
Reply
Solved! Jump to solution

marco_massari11
Communicator
‎11-18-2020 03:54 AM

@t_shreya  Yes, I set by drilldown tab on the first dashboard a token named "method"=$click.name2$, and the query of the first dashboard is like this:

index=.. hostname=$site$ (service=success or service=failure)
| eval site=substr(NetworkDeviceName,1,7) + substr(NetworkDeviceName, -4)
| eval field1=if(service="x",1,0)
| eval field2=if(service="y",1,0)
| stats sum(field1) as "option1" sum(field2) as "option2" by site

The result is a column chart in which I have 2 columns (count of field 1 and count for field2) for a single site

In the second dashboard I have a query like this:

index=..... hostname=....
| eval site=substr(DeviceName,1,7) + substr(DeviceName, -4)
| search site=$group$
| search service="$method$"
| table .......

Probably my mistake is in the stats beacuse in the title I put the token for the count ant it's correct

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-17-2020 11:04 AM

Instead of field1 and field2, can you name your fields y and z, that way you may be able to use the field name of the bar that is clicked to modify the search in the drilldown panel. Alternatively, will counting by x and hostname help?

0 Karma
Reply
Solved! Jump to solution

marco_massari11
Communicator
‎11-17-2020 11:31 AM

I do not understand your first option, can you explain it better? The second option can work but I don't want to show the hostname two times in the column chart. 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-17-2020 01:27 PM

Run anywhere example:

  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd | eval field1=if(group="tcpin_connections",1,0) | eval field2=if(group="tcpout_connections",1,0) | stats sum(field1) as tcpin_connections sum(field2) as tcpout_connections by log_level</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisY.abbreviation">auto</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.legend.placement">top</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="showcounts">true</set>
          <set token="showloglevel">$click.value$</set>
          <set token="showgroup">$click.name2$</set>
        </drilldown>
      </chart>
    </panel>
    <panel depends="$showcounts$">
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=$showloglevel$ group=$showgroup$ | stats count by component</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisY.abbreviation">auto</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">top</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>

For your case, you could change the first query to

          <query>index=.... hostname=* 
| eval field1=if(x="y",1,0)
| eval field2=if(x="z",1,0)
| stats sum(field1) as y sum(field2) as z by hostname</query>

with perhaps tokens showhost and showx

 and the second query to

          <query>index=.... hostname=$showhost$ x=$showx$ ...</query>
0 Karma
Reply
Solved! Jump to solution

marco_massari11
Communicator
‎11-18-2020 03:19 AM

Hi,

I think it's not working beacause I still have more result in the second query

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-18-2020 10:48 AM

I don't know what you mean by that. Can you show your SimpleXML for your dashboard panels?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...