- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Why are Values for 2nd panel not coming from 1st p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are Values for 2nd panel not coming from 1st panel?
Hi Team,
I have created two panels
My first panel details are:
<query>
<![CDATA[index=abc ns=blazegateway app_name=blazecrsgateway* "serviceResponseStatus" $Ope$ $caller$ $status$
|rex field=_raw "operation:(?P<Operation>.*), serviceResponseStatus"
|rex field=_raw "caller:(?P<Caller>.*) =" |rex field=_raw "serviceResponseTime\(ms\)=(?P<Response_Time>.*)"
| eventstats count by Caller|rename Caller as "GRS Caller"
|lookup ApplicationRef.csv GRSCaller as "GRS Caller" OUTPUT DisplayName
|rename "GRS Caller" as "GRSCaller"
|eval CallerName=If(isnull(DisplayName),GRSCaller,DisplayName)
| table CallerName Operation Response_Time serviceResponseStatus date|rename CallerName as "GRS Caller"
| rename date as "Date" | rename serviceResponseStatus as "Response_Status"|sort - Date]]>
<drilldown>
<set token="show_panel1">true</set>
<set token="selected_value">$click.value$</set>
</drilldown>
From this I am getting details as below:
GRS Caller Operation ResponseTime Status Date
OneForce ls 286 ms Success 2022-06-27
OneForce dmrupload 381 ms Failure 2022-06-27
I want when I click on 1st row the detailed description of 1st row should come.
Can someone guide me what query I can make for 2nd panel extraction
Currently I have make this but its not working
<row>
<panel depends="$show_panel1$">
<table>
<title>Caller Details1</title>
<search>
<query>abc ns=blazegateway app_name=blazecrsgateway* "serviceResponseStatus" $Ope$ $caller$ $status$ $selected_value$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where does your 'detailed description' come from and what would be the search that finds this - you are just using the token $selected_value$
$click.value$ will not be useful for the drilldown - your drilldown setting should be "row" and the tokens set should be
<drilldown>
<set token="show_panel1">true</set>
<set token="selected_caller">$row.GRS Caller$</set>
<set token="selected_op">$row.Operation$</set>
<set token="selected_rt">$row.ResponseTime$</set>
<set token="selected_tatus">$row.Status$</set>
<set token="selected_date">$row.Date$</set>
<set token="selected_XXX">$row.other_field1...$</set>
</drilldown>However, you are doing lots of other stuff in your original search which means the clicked row will not be useful for the search, e.g. you extract Operation via a rex statement.
It would be better to just 'save' all the fields you want from the first search and then display them with a simple query in the second panel.
i.e. collect ALL the fields you want into the table statement in the first search. Then add
<fields>"GRS Caller","Operation"."Response_Time","Response_Status","Date"
</fields>in the XML to restrict what fields are shown
in the second panel just make the query do something like
| makeresults
| eval GRS_Caller=$selected_caller$
| eval Operation=$selected_op$
... other eval statements to assign fields from tokens
| table your_wanted_fields
Build Scalable Security While Moving to Cloud - Guide From Clayton Homes
Mission Control | Explore the latest release of Splunk Mission Control (2.3)
Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7
