Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't drilldown showing the correct result?

aditsss
Motivator
‎07-27-2022 12:32 PM

Hi All,

I have created one panel where I am showing  ERRORS for the app in bar chart format

Below is my query. I have also made drilldown value as clickable 

<query>index=eabc ns=blazepsfpublish CASE(ERROR) |rex field=_raw "(?&lt;!LogLevel=)ERROR(?&lt;Error_Message&gt;.*)" | eval Date=strftime(_time, "%Y-%m-%d") |dedup Error_Message |timechart span=1d count(Error_Message) by app_name</query>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option><option name="charting.drilldown">all</option>

<drilldown>
<set token="show">true</set>
<set token="selected_value">$click.value$</set>
</drilldown>

Currently I am only getting Number of Error in Bar chart format.

I want when I click on bar chart it should show raw logs for the Error.

I have created dependent panel with below query but its not showing raw logs:

<panel depends="$show$">
<table>
<title>Errors</title>
<search>
<query>index=abc ns=blazepsfpublish CASE(ERROR)|rex field=_raw "(?&lt;!LogLevel=)ERROR(?&lt;Error_Message&gt;.*)" | eval Date=strftime(_time, "%Y-%m-%d") |dedup Error_Message |timechart span=1d count(Error_Message) by app_name $selected_value$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

Can someone guide me here.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2022 09:57 PM

It is not clear what you are trying to do here

Your first query has a timechart span=1d by app_name, therefore you will have bars for each day for each app.

When you click on a bar, you will have a number of tokens available in the drilldown to indicate where on the chart the user clicked: $click.value$ (as you have used in your example) will contain the value of the day the user clicked; $click.name2$ will contain the name of the series i.e. the app_name.

You can use these to set tokens to pass to your second query.

Your second query also has a timechart command, so it is not going to show the raw events. You should determine what the search for the second panel needs to look like to show the data you want, then use the tokens from the drilldown to filter the results according to what the user clicked.

View solution in original post

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-27-2022 10:53 PM

@aditsss - As @ITWhisperer  suggested it depends on what exactly you are trying to achieve but here is one thing which you might be interested in. You could tweak this slightly to achieve whatever you want.

Update Panel-1 Drilldown

<drilldown>
<set token="show">true</set>
<set token="selected_time">$click.value$</set>
<set token="selected_app_name">$click.value$</set>
</drilldown>

 

Update panel-2's query like this:

<query>index=abc ns=blazepsfpublish CASE(ERROR) app_name=$selected_app|s$ | bin span=1d _time | search _time=$selected_time$ | rex field=_raw "(?&lt;!LogLevel=)ERROR(?&lt;Error_Message&gt;.*)"</query>

Not sure if you really need the last rex part or not. But important part here is "app_name=$selected_app|s$ | bin span=1d _time | search _time=$selected_time$"

 

I hope this helps!!!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2022 09:57 PM

It is not clear what you are trying to do here

Your first query has a timechart span=1d by app_name, therefore you will have bars for each day for each app.

When you click on a bar, you will have a number of tokens available in the drilldown to indicate where on the chart the user clicked: $click.value$ (as you have used in your example) will contain the value of the day the user clicked; $click.name2$ will contain the name of the series i.e. the app_name.

You can use these to set tokens to pass to your second query.

Your second query also has a timechart command, so it is not going to show the raw events. You should determine what the search for the second panel needs to look like to show the data you want, then use the tokens from the drilldown to filter the results according to what the user clicked.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...