Dashboards & Visualizations

Subreport from form view with table and multiple fields

RobertRi
Communicator

Hi

I have a simple view which outputs a table with 4 fields in a row which are grouped.

This is an example of the output

AppName Servers  Status
App1    Server1  OK
App1    Server2  NotOK

If I click the second result in this view to see the events that are in status NotOK for App1 and Server2, than all Servers from App1 with all Statis where displayed. Is there a possibility to show only the events which are in Status NotOK for Server2 and App1 ?

Thanks for your hints
Robert

Tags (1)
0 Karma

RobertRi
Communicator

Hi

Thanks for your answer.
It doesn't work correctly, because If I go to the line in the table on the second field it highlights the first two fields. If I would like to include the third field in the drilldown too and go on the third field in the row, then only the first and the third field is highlighted and the subsearch include only the first and the third field but not the second field.

Here the view xml file

<form>  
   <label>App - Overview</label> 
      <searchTemplate>index="app" sourcetype="app_status" $Arg1$ | stats count by app_name, app_server, app_status</searchTemplate> 

  <fieldset autoRun="false">
      <input type="text" token="Arg1"> 
         <label>Choose how many hours ago it should display</label> 
         <prefix>starthoursago="</prefix>
         <default>12</default> 
         <suffix>"</suffix> 
         <seed>12</seed>
      </input>
      </fieldset>

   <row>
      <table>
        <title>App Overview</title>
        <option name="count">100</option> 
        <option name="drilldown">all</option>
      </table>
   </row>

</form>

Did you have any hint why this happens ?

Many Thanks
Rob

0 Karma

RobertRi
Communicator

Sorry but advanced xml is too difficult.
I have combined the second and third field and this works too

Thanks
Robert

0 Karma

Ayn
Legend

You cannot drilldown on multiple values with standard Splunk modules. Check out Sideview Utils which can do this.

0 Karma

Ayn
Legend

Yes.

This is controlled by what drilldown type is defined for your table. By default drilldown is based on row, which means Splunk takes the first value of the row you're clicking on and drills down based on that. The other option is to have drilldown on cell, which means the value of the specific cell you're clicking on is used instead. To change the drilldown type, either use the Visual Dashboard Editor and edit the panel in question, or edit the XML yourself. If you go for the latter, what you want is to put the following option inside the <table> section:

<option name="drilldown">all</option>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...