Solved: manage token when legend clicked, link to search w...

dorHerbesman · ‎01-14-2025

I'm trying to do a condition based action on my chart.

I want to create a situation where when a legend is clicked the form.tail will change to take click.name2 (which is a number like 120 144 931 etc..)

and when inside the chart a column is clicked a costume search will be opened (in a new window if possible if not same window will be just fine). based of checking if click.name is a number (and it's should be as it should be the name of the source /mnt/support_engineering... )

this is my current chart:

<chart>
<title>amount of warning per file per Tail</title>
<search base="basesearch">
<query>|search
| search "WARNNING: "
| rex field=_raw "WARNNING: (?&lt;warnning&gt;(?s:.*?))(?=\n\d{5}|$)"
| search warnning IN $warning_type$
| search $project$
| search $platform$
| chart count over source by Tail</query>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<eval token="form.Tail">if($click.name2$=$form.Tail$, "*", $click.name2$)</eval>
</drilldown>
</chart>

The main problem is that whenever i even try condition inside the drilldown a new search is opened instead managing tokens no matter what the condition or what im doing inside.

This is what I've tried so far:

        <drilldown>
  <!-- Handle clicks on Tail (Legend) -->
  <condition match="tonumber($click.name$) != $click.name$">
    <eval token="form.Tail">
      if($click.name2$ == $form.Tail$, "*", $click.name2$)
    </eval>
  </condition>

  <!-- Handle clicks on Source (Chart) -->
  <condition match="tonumber($click.name$) == $click.name$">
    <link>
      <param name="target">_blank</param>
      <param name="search">
        index=myindex
        | search "WARNNING: "
      </param>
    </link>
  </condition>
</drilldown>

click.name should be the name of the source as those are the columns of my chart

thanks in advanced to helpers

dorHerbesman · ‎01-14-2025

my condition was wrong, here is what i went with in the end:

        <drilldown>
        <!-- Handle clicks on Tail (Legend) -->
          <condition match="$click.name2$>0 AND NOT $click.value2$>0">
            <eval token="form.Tail">if($click.name2$ == $form.Tail$, "*", $click.name2$)</eval>
          </condition>
        <!-- Handle clicks on Source (Chart) -->
         <condition match="$click.value2$>0">
            <link>
              <param name="target">_blank</param>
              <param name="search">index=myindex
                | search "WARNNING: "</param>
            </link>
          </condition>
        </drilldown>

View solution in original post

dorHerbesman · ‎01-14-2025

my condition was wrong, here is what i went with in the end:

        <drilldown>
        <!-- Handle clicks on Tail (Legend) -->
          <condition match="$click.name2$>0 AND NOT $click.value2$>0">
            <eval token="form.Tail">if($click.name2$ == $form.Tail$, "*", $click.name2$)</eval>
          </condition>
        <!-- Handle clicks on Source (Chart) -->
         <condition match="$click.value2$>0">
            <link>
              <param name="target">_blank</param>
              <param name="search">index=myindex
                | search "WARNNING: "</param>
            </link>
          </condition>
        </drilldown>

manage token when legend clicked, link to search when chart column clicked

chart

drilldown

panel

token

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?