Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Show raw data in new search on clicking the timestamp or a value using drilldown?

yamini_37
Path Finder
‎11-30-2022 03:17 AM

Hi Everyone,

I have one requirement. Below is my search query to show "no.of users logged in" for every 1 hour.

index=ABC sourcetype=xyz "PROFILE_LOGIN" |rex "PROFILE:(?<UserName>\w+)\-"
|bin _time span=1h |stats dc(UserName) as No_Of_Users_Logged_In by _time

I am getting like below:

_time No_Of_Users_Logged_In

2022-11-28 10:00 1

2022-11-28 11:00 2

I want when I click in the first row/timestamp/ No_Of_Users_Logged_In, it should show the raw logs of the events where the logged-in usernames are present in that particular time (if the time stamp is 10:00, then it should show raw events from 10:00 to 11:00). These events should open in new search .

Also, can you guide me how to view these in panel below the table using drilldown. It should be only show when we click on the values. (It’s an additional request to know the possibility)

Please guide and help me.

xml code snippet :
<row>
<panel>
<title>Number of Users Logged In</title>
<table>
<search>
<query>index=ABC sourcetype=xyz "PROFILE_LOGIN" |rex "PROFILE:(?<UserName>\w+)\-"
|bin _time span=1h |stats dc(UserName) as No_Of_Users_Logged_In by _time</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">6</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>

Labels (2)
Labels
0 Karma
Reply

yamini_37
Path Finder
‎11-30-2022 06:51 AM

@somesoni2, @jeffland , please help

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2022 04:16 AM

The value from the first column of the table is stored in the $value$ token. Use this in the search as earliest and use the value +1 hour as latest.

0 Karma
Reply

yamini_37
Path Finder
‎11-30-2022 06:49 AM

@ITWhisperer

Thanks for the response, but I didn't understand it clearly. Below is the XML code of that panel. Could you please make changes in this xml snippiet.

<row>
<panel>
<title>Number of Users Logged In</title>
<table>
<search>
<query>index=ABC sourcetype=xyz "PROFILE_LOGIN" |rex "PROFILE:(?<UserName>\w+)\-"
|bin _time span=1h |stats dc(UserName) as No_Of_Users_Logged_In by _time</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">6</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>


0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2022 07:32 AM

Try something like this

<row>
<panel>
<title>Number of Users Logged In</title>
<table>
<search>
<query>index=ABC sourcetype=xyz "PROFILE_LOGIN" |rex "PROFILE:(?<UserName>\w+)\-"
|bin _time span=1h |stats dc(UserName) as No_Of_Users_Logged_In by _time</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">6</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
        <drilldown>
          <eval token="earliest">$value2$</eval>
          <eval token="latest">relative_time($value2$,"+1h")</eval>
          <link target="_blank">search?q=search%20index%3DABC%20sourcetype%3Dxyz%20%2CPROFILE_LOGIN%2C&amp;earliest%3D$earliest$&amp;latest%3D$latest$</link>
        </drilldown>
</table>
</panel>
</row>
0 Karma
Reply

yamini_37
Path Finder
‎11-30-2022 10:11 AM

@ITWhisperer

earliest and latest tokens are not working. When I clicked on the cell, the new tab got opened with the search query " index=ABC sourcetype=xyz "PROFILE_LOGIN" and time picker set to "last 15 minutes". I tried modifying the time tokens but no luck.

Plz help

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2022 10:32 AM 
          <eval token="earliest">$click.value$</eval>
          <eval token="latest">relative_time($click.value$,"+1h@h")</eval>
0 Karma
Reply

yamini_37
Path Finder
‎11-30-2022 09:31 PM

@ITWhispererI tried this too, it's not working (picture attached). Any other suggestions, please?

Preview file
44 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...