Imagine 🙂 I have application A, B and C
and inside those applications I have
A_errType1... A_errType5, B_errType1, B_errType2, C.errType1 .. C.errType3 etc..
I am reading all applications from the same type of log file(s). So my question is,
Are there any chance to have a summarizing dashboard (lets call it TimeChart tool) for all data such as "Count of errors on each app" and link this dashboard to sub-dashboards to have detailed information on each application type. lets say we have 10,20,30 of application errors on A,B and C. I choose application C and it returns me another board that shows totals of "errType"s of the same application like errType1 5, errType2 15, errType3 3
This sounds doable in Simple XML.
My understanding here is that you would like the drilldown to link to different dashboards based on the application clicked on, correct? To do this, you will need to,
I tested this, and in Splunk 5 doesn´t works if you hide the field with the "fields - fieldname" command. Althougt it works fine without hidding the field...
Does you solution works in Splunk 6?
In my research, It seems more feasible to use table chart drilldown which could be found:
I still don't have the exact answer, so if you have more ideas, please share it here.
That sounds quite doable with either SplunkJS/Webframework or AdvancedXML/SideviewUtils... not sure how doable it'd be with SimpleXML.
How that'd look depends on what you specifically need, but in general the idea would be to have a summarizing dashboard with charts or tables and custom drilldown underneath. Those drilldowns would look at what application your error type came from and apply that as a filter to the next dashboard.