Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to create drilldowns which open in new window so that the applied filters are not lost on existing dashboard

avni26
Explorer
‎07-17-2019 02:59 AM

Hi,

Want to create Drilldown for each panels in dashboard which will open in new window with all filter applied.

I try by adding custom drilldown

  <link target="_blank">
         <![CDATA[
               /app/xxxxxxxxxx/search?q=search%20XXXXXX%20%3D%20xxxxxxxxx%20NAME%3D%22$row.NAME$%22%20%7C%20fields%20TYPE%2C%20LAST_SEEN%2C%20NAME%20&earliest=$earliest$&latest=$latest$&display.page.search.mode=verbose&dispatch.sample_ratio=1
              ]]>
           </link>
         </drilldown>

But, Problem is If exiting dashboard Panels query get changed or modified, this drilldown will break. It won't work.
And also my search query is very huge.
Please suggest.

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎07-23-2019 08:29 AM

@avni26,
If the post process search is fixed and of simple terms you could try

<eval token="srch">$job.search$."|stats count by hostname"</eval>

OR use the post process token

<eval token="srch">$job.search$."|".replace($job.request.postprocess_searches$,"\\[|\\]|\"","")</eval>
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

avni26
Explorer
‎07-23-2019 10:36 AM

@renjith.nair Thank you. It worked.
Does the same can be applied to all other panels of the dashboard. As after adding the below , for each panel its showing same.
$job.search$."|".replace($job.request.postprocess_searches$,"\[|\]|\"","")

0 Karma
Reply

renjith_nair
Legend
‎07-24-2019 05:44 AM

Glad that worked. I will convert that to answer . please accept
For each panel, you probably need to use different token names

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

avni26
Explorer
‎07-30-2019 12:08 AM

@renjith.nair Thank you. I will accept the answer. Need one more suggestion , if I do not have any post process , everything is in my search base query which contains stats/timechart count itself.
Now, I want to remove that last line(|timechart count by hostname) from there and pass it to drilldown. How to achieve that? Please suggest.
I tried like below , but it not worked
$job.search$."|".replace($job.search$,"\[|\]|\"","")

0 Karma
Reply

renjith_nair
Legend
‎07-30-2019 01:08 AM

@avni26,
If you want only the event search and not any statistical search terms, try $job.eventSearch$

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

avni26
Explorer
‎07-30-2019 03:37 AM

@renjith.nair
No, don't want only event search . There are lots of conversion , eval statement are there after that . I want only to remove last line i.e. after last occurrence of pipe"|" and retain all things before it.

0 Karma
Reply

renjith_nair
Legend
‎07-30-2019 08:50 PM

you need to apply regex for that

try

replace($job.search$,"[^|]*$","")

try changing the regex to get exactly what you want.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

renjith_nair
Legend
‎07-17-2019 04:26 AM

@avni26,

Try this solution if it suits you

https://answers.splunk.com/answers/757892/creating-drilldown-to-new-tab-for-auto-search-with.html#an...

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

avni26
Explorer
‎07-23-2019 04:21 AM

@renjith.nair Thank you for your response. Yes, I tried with same like provided url. But , search token only passing my base search query. It not passing query of panels. I tried like below,

  index="idx" source=ABC | search sourcetype IN ($env$) $application$ hostname IN ($host$) | table _time ID Title Severity State hostname 
  </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<panel>
  <title>Total count</title>
  <single>
    <search base="overview_base">
      <query>| stats count by hostname</query>
      <done>
     <set token="srch">$job.search$</set>
        </done>
    </search>
    <option name="drilldown">all</option>
    <drilldown>
       <link target="_blank">search?q=$srch$&amp;form.field1.earliest=$earliest$&amp;form.field1.latest=$latest$&amp;form.env=$env$&amp;form.application=$application$&amp;form.host=$host$&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1%0A&amp;workload_pool=&amp;display.page.search.tab=statistics&amp;display.general.type=statistics</link>
     </drilldown>
  </single>
</panel>

Please suggest. How to pass panel search query also in token?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...