Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Table Drilldown into a defaut flashline

ChhayaV
Communicator
‎08-16-2013 05:23 AM

Hi,

I have a dashboard panel showing data in a tabular structure.
Here i just wanted a drilldown into a default flashtimeline on click of table's row(any value of a table).
Here is the advanced xml :

<module name="HiddenSearch" layoutPanel="panel_row4_col1" group="Recommendation for ErrorCodes" autoRun="True">
       <param name="search">host="sharepoint" | rex field=msg "\sMore\sinformation:\s(?&lt;ErrorIdentifierField&gt;[\dxA-F]+)" | eventstats count by ErrorIdentifierField  | sort -count |  table ErrorIdentifierField count  </param>
        <module name="SimpleResultsTable">
            <param name="entityName">results </param>
            <param name="dataOverlayMode">heatmap </param>
            <param name="drilldown">all </param>                
          <module name="ConvertToDrilldownSearch">
              <module name="ViewRedirector">
              <param name="viewTarget">flashtimeline </param>
              <param name="popup">True </param>
              </module>
          </module>
       </module>

          <module name="ViewRedirectorLink">
            <param name="viewTarget">flashtimeline </param>
         </module>

   </module>

Here the problem is when i click on the table's row/any of the value its not drilling down to a default flashtimeline but shows same tabular structure. Now in this tabular structure if i click agian then it will show the table but containing only clicked(the value which clicked) value.Here i wanted to show the default flashtimeline for the clicked values.
So pls help with the advance xml for this.

Thank you

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-12-2013 10:36 PM

I think the problem isn't so much with the advanced XML as with the search.

Instead of the eventstats command I think you want to be using the stats command. Eventstats is an advanced command designed for more complex use cases and here it's just going to give you a lot of strange duplicates in your final results.

This search on the other hand:

host="sharepoint" | rex field=msg "\sMore\sinformation:\s(?&lt;ErrorIdentifierField&gt;[\dxA-F]+)" | stats count by ErrorIdentifierField | sort - count

will only have one row per ErrorIdentifierField, and as a bonus, when you click a row the generic drilldown will work as you expect. I think it's the eventstats that is making the drilldown logic behave oddly.

I also recommend setting the drilldown param to just "row".

<param name="drilldown">row</param>
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...