Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Table Drilldown into a defaut flashline

ChhayaV
Communicator
‎08-16-2013 05:23 AM

Hi,

I have a dashboard panel showing data in a tabular structure.
Here i just wanted a drilldown into a default flashtimeline on click of table's row(any value of a table).
Here is the advanced xml :

<module name="HiddenSearch" layoutPanel="panel_row4_col1" group="Recommendation for ErrorCodes" autoRun="True">
       <param name="search">host="sharepoint" | rex field=msg "\sMore\sinformation:\s(?&lt;ErrorIdentifierField&gt;[\dxA-F]+)" | eventstats count by ErrorIdentifierField  | sort -count |  table ErrorIdentifierField count  </param>
        <module name="SimpleResultsTable">
            <param name="entityName">results </param>
            <param name="dataOverlayMode">heatmap </param>
            <param name="drilldown">all </param>                
          <module name="ConvertToDrilldownSearch">
              <module name="ViewRedirector">
              <param name="viewTarget">flashtimeline </param>
              <param name="popup">True </param>
              </module>
          </module>
       </module>

          <module name="ViewRedirectorLink">
            <param name="viewTarget">flashtimeline </param>
         </module>

   </module>

Here the problem is when i click on the table's row/any of the value its not drilling down to a default flashtimeline but shows same tabular structure. Now in this tabular structure if i click agian then it will show the table but containing only clicked(the value which clicked) value.Here i wanted to show the default flashtimeline for the clicked values.
So pls help with the advance xml for this.

Thank you

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-12-2013 10:36 PM

I think the problem isn't so much with the advanced XML as with the search.

Instead of the eventstats command I think you want to be using the stats command. Eventstats is an advanced command designed for more complex use cases and here it's just going to give you a lot of strange duplicates in your final results.

This search on the other hand:

host="sharepoint" | rex field=msg "\sMore\sinformation:\s(?&lt;ErrorIdentifierField&gt;[\dxA-F]+)" | stats count by ErrorIdentifierField | sort - count

will only have one row per ErrorIdentifierField, and as a bonus, when you click a row the generic drilldown will work as you expect. I think it's the eventstats that is making the drilldown logic behave oddly.

I also recommend setting the drilldown param to just "row".

<param name="drilldown">row</param>
0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...
Top