Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how can I replace token value which I get after clicking bar chart in a dashbaord?

sanjum01
Explorer
‎10-27-2021 10:56 AM

I am trying to assigning back Numeric value to $ps$ token which I change to ProcessingStepName1, ProcessingStepName2, ProcessingStepName3, ProcessingStepName4 by Eval.
after I click the Bar in a bar chart and token $ps$ gets the value as one of the processingStepNames(ProcessingStepName1, ProcessingStepName2, ProcessingStepName3, ProcessingStepName4) but I need to to change the Names back to Number's which I changed by Eval. How should I do that? I tried Eval to do so but it is not working. Any suggestion please?

<dashboard>
<label>Processing_Step_Clone_2</label>
<row>
<panel>
<chart>
<title>$form.Source$ between $form.earliest_date$ $form.second_dash.earliest$ - $form.second_dash.latest$</title>
<search>
<query>index=Idx1 sourcetype=sourcetype#  Datatype=$form.Datatype$
|spath Source | search Source=$form.Source$
|eval type = if(ProcessStatus=0,"Success","Failure")
|eval ProcessingStep=if(ProcessingStep="6","ProcessingStepName1",ProcessingStep)
|eval ProcessingStep=if(ProcessingStep="21","ProcessingStepName2",ProcessingStep)
|eval ProcessingStep=if(ProcessingStep="1","ProcessingStepName3",ProcessingStep)
|eval ProcessingStep=if(ProcessingStep="2","ProcessingStepName4",ProcessingStep)
|chart count over ProcessingStep
</query>
<earliest>$form.second_dash.earliest$</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
.
.
.
<option name="trellis.size">medium</option>
<drilldown>
<set token="ps">$click.value$></set>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<title>Success/Failure visualization for $ps$ </title>
<search>
<query>index=Idx1 sourcetype=sourcetype# Datatype=$form.Datatype$
| spath Source | search Source=$form.Source$
| eval type = if(ProcessStatus=0,"Success","Failure")
| search ProcessingStep=$ps$
| timechart count by type</query>
<earliest>$form.second_dash.earliest$</earliest>
<latest>now</latest>
</search>

Labels (4)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-27-2021 08:31 PM

Have a look at this, based on yours

<dashboard>
  <label>Processing_Step_Clone_2</label>
  <search id="base">
    <query>| makeresults count=10000
| streamstats c
| eval ProcessStatus=random() % 2
| eval ProcessingStep=mvindex(split("6,21,1,2",","), random() % 4)
|eval type = if(ProcessStatus=0,"Success","Failure")
|eval ProcessingStepName=case(ProcessingStep="6","ProcessingStepName1",
                              ProcessingStep="21","ProcessingStepName2",
                              ProcessingStep="1","ProcessingStepName3",
                              ProcessingStep="2","ProcessingStepName4")
| eval _time=now()-random() % 300
    </query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <chart>
        <title>TITLE</title>
        <search base="base">
          <query>
|chart count over ProcessingStepName
          </query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <!--          <set token="ps">$click.value$</set>-->
          <eval token="ps">case(match($click.value$,"1"),6,match($click.value$,"2"),21,match($click.value$,"3"),1,match($click.value$,"4"),2)</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Success/Failure visualization for $ps$</title>
        <search base="base">
          <query>| search ProcessingStep=$ps$
| timechart fixedrange=f span=1s count by type</query>
        </search>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</dashboard>

It uses an <eval> statement in the drilldown to get the correct step into the token in the first place.

 

0 Karma
Reply

sanjum01
Explorer
‎10-30-2021 12:58 PM

@bowesmana thank you for your response.
I am trying to make bar chart more precise on based of index and sourcetype, as your code is showing all the processing steps in bar chart but i am looking for only which user selected on in previous bashbaord screen. in previous screen user select which Datatype and which sourcetype user want to dig in for processing steps.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-02-2021 01:23 PM

@sanjum01 

I'm not sure I understood you.

This is an example of how to solve your original question about how to reverse the Processing Step in the second search - it shows you how to use the <eval> statement in the drilldown to do that - my search is not the same as yours as I don't have your data. You would use your search where you already do your filtering based on the user's choices.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...