Dashboards & Visualizations

Why are Values for 2nd panel not coming from 1st panel?

aditsss
Motivator

Hi Team,

I have created two panels

My first panel details are:

<query>
<![CDATA[index=abc ns=blazegateway app_name=blazecrsgateway* "serviceResponseStatus" $Ope$ $caller$ $status$
|rex field=_raw "operation:(?P<Operation>.*), serviceResponseStatus"
|rex field=_raw "caller:(?P<Caller>.*) =" |rex field=_raw "serviceResponseTime\(ms\)=(?P<Response_Time>.*)"
| eventstats count by Caller|rename Caller as "GRS Caller"
|lookup ApplicationRef.csv GRSCaller as "GRS Caller" OUTPUT DisplayName
|rename "GRS Caller" as "GRSCaller"
|eval CallerName=If(isnull(DisplayName),GRSCaller,DisplayName)
| table CallerName Operation Response_Time serviceResponseStatus date|rename CallerName as "GRS Caller"
| rename date as "Date" | rename serviceResponseStatus as "Response_Status"|sort - Date]]>

<drilldown>
<set token="show_panel1">true</set>
<set token="selected_value">$click.value$</set>
</drilldown>

 

From this I am getting details as below:

GRS Caller   Operation   ResponseTime   Status         Date

OneForce     ls                       286 ms                   Success    2022-06-27
OneForce     dmrupload      381 ms                    Failure   2022-06-27

 

I want when I click on 1st row the detailed description of 1st row should come.

Can someone guide me what query I can make for 2nd panel extraction

Currently I have make this but its not working

 

<row>
<panel depends="$show_panel1$">
<table>
<title>Caller Details1</title>
<search>
<query>abc ns=blazegateway app_name=blazecrsgateway* "serviceResponseStatus" $Ope$ $caller$ $status$ $selected_value$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>
</row>

 

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Where does your 'detailed description' come from and what would be the search that finds this - you are just using the token $selected_value$

$click.value$ will not be useful for the drilldown - your drilldown setting should be "row" and the tokens set should be

<drilldown>
  <set token="show_panel1">true</set>
  <set token="selected_caller">$row.GRS Caller$</set>
  <set token="selected_op">$row.Operation$</set>
  <set token="selected_rt">$row.ResponseTime$</set>
  <set token="selected_tatus">$row.Status$</set>
  <set token="selected_date">$row.Date$</set>
  <set token="selected_XXX">$row.other_field1...$</set>
</drilldown>

However, you are doing lots of other stuff in your original search which means the clicked row will not be useful for the search, e.g. you extract Operation via a rex statement.

It would be better to just 'save' all the fields you want from the first search and then display them with a simple query in the second panel.

i.e. collect ALL the fields you want into the table statement in the first search. Then add

<fields>"GRS Caller","Operation"."Response_Time","Response_Status","Date"
</fields>

in the XML to restrict what fields are shown

in the second panel just make the query do something like

| makeresults
| eval GRS_Caller=$selected_caller$
| eval Operation=$selected_op$
... other eval statements to assign fields from tokens
| table your_wanted_fields
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...