Dashboards & Visualizations

how to create drilldowns which open in new window so that the applied filters are not lost on existing dashboard

avni26
Explorer

Hi,

Want to create Drilldown for each panels in dashboard which will open in new window with all filter applied.

I try by adding custom drilldown

  <link target="_blank">
         <![CDATA[
               /app/xxxxxxxxxx/search?q=search%20XXXXXX%20%3D%20xxxxxxxxx%20NAME%3D%22$row.NAME$%22%20%7C%20fields%20TYPE%2C%20LAST_SEEN%2C%20NAME%20&earliest=$earliest$&latest=$latest$&display.page.search.mode=verbose&dispatch.sample_ratio=1
              ]]>
           </link>
         </drilldown>

But, Problem is If exiting dashboard Panels query get changed or modified, this drilldown will break. It won't work.
And also my search query is very huge.
Please suggest.

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@avni26,
If the post process search is fixed and of simple terms you could try

<eval token="srch">$job.search$."|stats count by hostname"</eval>

OR use the post process token

<eval token="srch">$job.search$."|".replace($job.request.postprocess_searches$,"\\[|\\]|\"","")</eval>
Happy Splunking!
0 Karma

avni26
Explorer

@renjith.nair Thank you. It worked.
Does the same can be applied to all other panels of the dashboard. As after adding the below , for each panel its showing same.
$job.search$."|".replace($job.request.postprocess_searches$,"\[|\]|\"","")

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Glad that worked. I will convert that to answer . please accept
For each panel, you probably need to use different token names

Happy Splunking!
0 Karma

avni26
Explorer

@renjith.nair Thank you. I will accept the answer. Need one more suggestion , if I do not have any post process , everything is in my search base query which contains stats/timechart count itself.
Now, I want to remove that last line(|timechart count by hostname) from there and pass it to drilldown. How to achieve that? Please suggest.
I tried like below , but it not worked
$job.search$."|".replace($job.search$,"\[|\]|\"","")

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@avni26,
If you want only the event search and not any statistical search terms, try $job.eventSearch$

Happy Splunking!
0 Karma

avni26
Explorer

@renjith.nair
No, don't want only event search . There are lots of conversion , eval statement are there after that . I want only to remove last line i.e. after last occurrence of pipe"|" and retain all things before it.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

you need to apply regex for that

try

replace($job.search$,"[^|]*$","")

try changing the regex to get exactly what you want.

Happy Splunking!
0 Karma

renjith_nair
SplunkTrust
SplunkTrust
0 Karma

avni26
Explorer

@renjith.nair Thank you for your response. Yes, I tried with same like provided url. But , search token only passing my base search query. It not passing query of panels. I tried like below,

  index="idx" source=ABC | search sourcetype IN ($env$) $application$ hostname IN ($host$) | table _time ID Title Severity State hostname 
  </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<panel>
  <title>Total count</title>
  <single>
    <search base="overview_base">
      <query>| stats count by hostname</query>
      <done>
     <set token="srch">$job.search$</set>
        </done>
    </search>
    <option name="drilldown">all</option>
    <drilldown>
       <link target="_blank">search?q=$srch$&amp;form.field1.earliest=$earliest$&amp;form.field1.latest=$latest$&amp;form.env=$env$&amp;form.application=$application$&amp;form.host=$host$&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1%0A&amp;workload_pool=&amp;display.page.search.tab=statistics&amp;display.general.type=statistics</link>
     </drilldown>
  </single>
</panel>

Please suggest. How to pass panel search query also in token?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...