Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Using HiddenPostProcess to emulate flashtimeline
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got a dashboard I'm building that has a column flashchart displaying port counts for a time range. I need to have the ability to click on a time range and then populate a new chart on the same dashboard with the breakdown of port information for the time range clicked.
Can I use HiddenPostProcess to achieve this behavior or is there a better way?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's totally possible but you wouldnt normally use postProcess to do it. And you'll need to be using the Advanced XML but it sounds like you're there already.
At a high level you put other modules inside the FlashChart. They'll remain hidden until the user clicks the chart.
The UI examples app has some examples around so called 'inline drilldown'. 'inline' meaning where the drilldown is done on the same page instead of redirecting.
Starting at the FlashChart in question, if you're not doing anything fancy and you want the drilldown to show the events that 'correspond to' the given timebucket in the timechart, the config looks like this:
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
<module name="ConvertToDrilldownSearch">
[[ your tables/charts/headers to render the drilldown search go here]]
</module>
</module>
If on the other hand you want the drilldown search to use the time arguments from the click but do something different with them,
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
<module name="HiddenSearch">
<param name="search">CUSTOM SEARCH | timechart count</param>
<module name="ConvertToDrilldownSearch">
[[ your tables/charts/headers to render the drilldown search go here]]
</module>
</module>
</module>
Notes:
1) In this second example, its important that the custom search has the exact same reporting clause on the end that the main outer search does. So if the chart they click on had 'timechart count', you have the same report clause on the end of your drilldown search. If it had "stats sum(bytes) by userId", then you put that exact clause etc..
2) The order of HiddenSearch vs ConvertToDrilldownSearch doesnt actually matter. If it feels better to flip the containment relationship of those two, go for it. Essentially ConvertToDrilldownSearch
Definitely check out the "UI Examples for 4.1" app on splunkbase and pay careful attention to the copy and examples in "Advanced XML > Drilldown Intro"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's totally possible but you wouldnt normally use postProcess to do it. And you'll need to be using the Advanced XML but it sounds like you're there already.
At a high level you put other modules inside the FlashChart. They'll remain hidden until the user clicks the chart.
The UI examples app has some examples around so called 'inline drilldown'. 'inline' meaning where the drilldown is done on the same page instead of redirecting.
Starting at the FlashChart in question, if you're not doing anything fancy and you want the drilldown to show the events that 'correspond to' the given timebucket in the timechart, the config looks like this:
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
<module name="ConvertToDrilldownSearch">
[[ your tables/charts/headers to render the drilldown search go here]]
</module>
</module>
If on the other hand you want the drilldown search to use the time arguments from the click but do something different with them,
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
<module name="HiddenSearch">
<param name="search">CUSTOM SEARCH | timechart count</param>
<module name="ConvertToDrilldownSearch">
[[ your tables/charts/headers to render the drilldown search go here]]
</module>
</module>
</module>
Notes:
1) In this second example, its important that the custom search has the exact same reporting clause on the end that the main outer search does. So if the chart they click on had 'timechart count', you have the same report clause on the end of your drilldown search. If it had "stats sum(bytes) by userId", then you put that exact clause etc..
2) The order of HiddenSearch vs ConvertToDrilldownSearch doesnt actually matter. If it feels better to flip the containment relationship of those two, go for it. Essentially ConvertToDrilldownSearch
Definitely check out the "UI Examples for 4.1" app on splunkbase and pay careful attention to the copy and examples in "Advanced XML > Drilldown Intro"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
