Hi,
Want to create Drilldown for each panels in dashboard which will open in new window with all filter applied.
I try by adding custom drilldown
<link target="_blank">
<![CDATA[
/app/xxxxxxxxxx/search?q=search%20XXXXXX%20%3D%20xxxxxxxxx%20NAME%3D%22$row.NAME$%22%20%7C%20fields%20TYPE%2C%20LAST_SEEN%2C%20NAME%20&earliest=$earliest$&latest=$latest$&display.page.search.mode=verbose&dispatch.sample_ratio=1
]]>
</link>
</drilldown>
But, Problem is If exiting dashboard Panels query get changed or modified, this drilldown will break. It won't work.
And also my search query is very huge.
Please suggest.
@avni26,
If the post process search is fixed and of simple terms you could try
<eval token="srch">$job.search$."|stats count by hostname"</eval>
OR use the post process token
<eval token="srch">$job.search$."|".replace($job.request.postprocess_searches$,"\\[|\\]|\"","")</eval>
@renjith.nair Thank you. It worked.
Does the same can be applied to all other panels of the dashboard. As after adding the below , for each panel its showing same.
$job.search$."|".replace($job.request.postprocess_searches$,"\[|\]|\"","")
Glad that worked. I will convert that to answer . please accept
For each panel, you probably need to use different token names
@renjith.nair Thank you. I will accept the answer. Need one more suggestion , if I do not have any post process , everything is in my search base query which contains stats/timechart count itself.
Now, I want to remove that last line(|timechart count by hostname) from there and pass it to drilldown. How to achieve that? Please suggest.
I tried like below , but it not worked
$job.search$."|".replace($job.search$,"\[|\]|\"","")
@avni26,
If you want only the event search and not any statistical search terms, try $job.eventSearch$
@renjith.nair
No, don't want only event search . There are lots of conversion , eval statement are there after that . I want only to remove last line i.e. after last occurrence of pipe"|" and retain all things before it.
you need to apply regex for that
try
replace($job.search$,"[^|]*$","")
try changing the regex to get exactly what you want.
@avni26,
Try this solution if it suits you
@renjith.nair Thank you for your response. Yes, I tried with same like provided url. But , search token only passing my base search query. It not passing query of panels. I tried like below,
index="idx" source=ABC | search sourcetype IN ($env$) $application$ hostname IN ($host$) | table _time ID Title Severity State hostname
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<panel>
<title>Total count</title>
<single>
<search base="overview_base">
<query>| stats count by hostname</query>
<done>
<set token="srch">$job.search$</set>
</done>
</search>
<option name="drilldown">all</option>
<drilldown>
<link target="_blank">search?q=$srch$&form.field1.earliest=$earliest$&form.field1.latest=$latest$&form.env=$env$&form.application=$application$&form.host=$host$&display.page.search.mode=smart&dispatch.sample_ratio=1%0A&workload_pool=&display.page.search.tab=statistics&display.general.type=statistics</link>
</drilldown>
</single>
</panel>
Please suggest. How to pass panel search query also in token?