Dashboards & Visualizations

Why are tokens not replaced in Events drilldown?

Communicator

Hi,

I have the following dashboard (for demo purposes only):

<form>
  <label>EventDrilldown</label>
  <fieldset submitButton="false">
    <input type="time" token="timeRange">
      <label></label>
      <default>
        <earliest>-5m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=* | head 3</query>
          <earliest>$timeRange.earliest$</earliest>
          <latest>$timeRange.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">table</option>
      </event>
    </panel>
  </row>
</form>

When you click in a cell the automatic drilldown takes me to the search dashboard but does not set the correct time range; It seems like the tokens are not replaced, resulting in an invalid time range:

alt text

Does anyone know why this is happening? I'm pretty sure this worked before...

Kind regards,
Dominik

PS: I'm on splunk enterprise V6.5.2 (but this happens on my local splunk free installation too)

0 Karma
1 Solution

SplunkTrust
SplunkTrust

[Updated Answer]
Change your Search query to the following and it should work (use earliest and latest with tokens in your base search rather than search tags:

     <search>
       <query>index=_internal sourcetype=splunkd earliest=$timeRange.earliest$ latest=$timeRange.latest$| head 3</query>
       <earliest></earliest>
       <latest></latest>
       <sampleRatio>1</sampleRatio>
     </search>

table.drilldown options takes only True or False values

<option name="table.drilldown">True</option>

You are using both table.drilldown as well as raw.drilldown. Please check which one you actually need.

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

[Updated Answer]
Change your Search query to the following and it should work (use earliest and latest with tokens in your base search rather than search tags:

     <search>
       <query>index=_internal sourcetype=splunkd earliest=$timeRange.earliest$ latest=$timeRange.latest$| head 3</query>
       <earliest></earliest>
       <latest></latest>
       <sampleRatio>1</sampleRatio>
     </search>

table.drilldown options takes only True or False values

<option name="table.drilldown">True</option>

You are using both table.drilldown as well as raw.drilldown. Please check which one you actually need.

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Communicator

table.drilldown options takes only True or False values
According to http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML it takes the values all and none, although the Simple XML validator indicates that a boolean value is required.

You are using both table.drilldown as well as row.drilldown.
I use table.drilldown and raw.drilldown . And list.drilldown. All three were created when I saved a search as dashboard panel. Changing table.drilldown to a boolean value and removing the others resulted in the same error (because the time range tokens are not replaced when performing a drilldown).

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.
Neither the Drilldown Event nor the Events Viewer Element examples use tokens. Therefore they don't really help here.

Were you able to reproduce the problem?

0 Karma

SplunkTrust
SplunkTrust

@krdo I have updated my answers with the earliest and latest time to be included in the base search.
Sorry row.drilldown was a typo... I corrected that also. Please try out the query and it should work fine... Let me know otherwise... I will mark this as a comment for the community to pick up and answer!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Communicator

Thanks @niketnilay, using earliest & latest in the search query actually did the trick!

0 Karma