Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are tokens not replaced in Events drilldown?

krdo
Communicator
‎03-06-2017 10:45 PM

Hi,

I have the following dashboard (for demo purposes only):

<form>
  <label>EventDrilldown</label>
  <fieldset submitButton="false">
    <input type="time" token="timeRange">
      <label></label>
      <default>
        <earliest>-5m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=* | head 3</query>
          <earliest>$timeRange.earliest$</earliest>
          <latest>$timeRange.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">table</option>
      </event>
    </panel>
  </row>
</form>

When you click in a cell the automatic drilldown takes me to the search dashboard but does not set the correct time range; It seems like the tokens are not replaced, resulting in an invalid time range:

alt text

Does anyone know why this is happening? I'm pretty sure this worked before...

Kind regards,
Dominik

PS: I'm on splunk enterprise V6.5.2 (but this happens on my local splunk free installation too)

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-07-2017 12:58 AM

[Updated Answer]
Change your Search query to the following and it should work (use earliest and latest with tokens in your base search rather than search tags:

     <search>
       <query>index=_internal sourcetype=splunkd earliest=$timeRange.earliest$ latest=$timeRange.latest$| head 3</query>
       <earliest></earliest>
       <latest></latest>
       <sampleRatio>1</sampleRatio>
     </search>

table.drilldown options takes only True or False values

<option name="table.drilldown">True</option>

You are using both table.drilldown as well as raw.drilldown. Please check which one you actually need.

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-07-2017 12:58 AM

[Updated Answer]
Change your Search query to the following and it should work (use earliest and latest with tokens in your base search rather than search tags:

     <search>
       <query>index=_internal sourcetype=splunkd earliest=$timeRange.earliest$ latest=$timeRange.latest$| head 3</query>
       <earliest></earliest>
       <latest></latest>
       <sampleRatio>1</sampleRatio>
     </search>

table.drilldown options takes only True or False values

<option name="table.drilldown">True</option>

You are using both table.drilldown as well as raw.drilldown. Please check which one you actually need.

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

krdo
Communicator
‎03-07-2017 01:34 AM

table.drilldown options takes only True or False values
According to http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML it takes the values all and none, although the Simple XML validator indicates that a boolean value is required.

You are using both table.drilldown as well as row.drilldown.
I use table.drilldown and raw.drilldown . And list.drilldown. All three were created when I saved a search as dashboard panel. Changing table.drilldown to a boolean value and removing the others resulted in the same error (because the time range tokens are not replaced when performing a drilldown).

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.
Neither the Drilldown Event nor the Events Viewer Element examples use tokens. Therefore they don't really help here.

Were you able to reproduce the problem?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-07-2017 12:04 PM

@krdo I have updated my answers with the earliest and latest time to be included in the base search.
Sorry row.drilldown was a typo... I corrected that also. Please try out the query and it should work fine... Let me know otherwise... I will mark this as a comment for the community to pick up and answer!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

krdo
Communicator
‎03-07-2017 10:26 PM

Thanks @niketnilay, using earliest & latest in the search query actually did the trick!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...