Solved: onclick Drilldown not working

nivethainspire_ · ‎03-19-2020

When I click the chart my drilldown down is not working. But when I remove the "|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")" eval function. It works fine. Can anyone help me with the issue.
Below is my code snippet.

  <table>
    <title>status</title>
    <search>
      <query>index=* sourcetype=*|fillnull value=""|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")|search $aaa$ | rename status as "Status"|stats count by "Status"|eventstats sum(*) as sum_* |foreach * [eval "%"=round((count/sum_count)*100,2)]|rename count as Count|fields - sum_count</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="totalsRow">false</option>
    <option name="wrap">false</option>
    <format type="color" field="status">
    </format>
    <drilldown>
      <link target="_blank">search?q=index=*sourcetype=*|fillnull value=""|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")|search  $aaa$ |rename status as "Status" |search "Status"="$click.value$"|stats count by status,aaa&amp;earliest=-24h@h&amp;latest=now</link>
    </drilldown>
  </table>
</panel>

niketn · ‎03-19-2020

@nivethainspire_07 try the following for drilldown link to search. (PS: used match instead of link. By default it is case insensitive but it can be made case sensitive if required).

<link target="_blank">search?q=index=*%20sourcetype=*%20%0A%7C%20fillnull%20value=%22%22%20%0A%7C%20eval%20AAA=case(match(o,%22Win%22),%22Win%22,match(o,%22Lin%22),%22Linux%22,match(o,%22Missing%22),%22Others%22,match(o,%22So%22),%22Sol%22,match(o,%22AIX%22),%22AIX%22,1=1,%22Others%22)%20%0A%7C%20search%20$aaa$%20%0A%7C%20rename%20status%20as%20%22Status%22%20%0A%7C%20search%20%22Status%22=%22$click.value$%22%20%0A%7C%20stats%20count%20by%20status,aaa&amp;earliest=-24h@h&amp;latest=now</link>

PS: index=* sourcetype=* seems very expensive call unless it is just for example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎03-19-2020

@nivethainspire_07 try the following for drilldown link to search. (PS: used match instead of link. By default it is case insensitive but it can be made case sensitive if required).

<link target="_blank">search?q=index=*%20sourcetype=*%20%0A%7C%20fillnull%20value=%22%22%20%0A%7C%20eval%20AAA=case(match(o,%22Win%22),%22Win%22,match(o,%22Lin%22),%22Linux%22,match(o,%22Missing%22),%22Others%22,match(o,%22So%22),%22Sol%22,match(o,%22AIX%22),%22AIX%22,1=1,%22Others%22)%20%0A%7C%20search%20$aaa$%20%0A%7C%20rename%20status%20as%20%22Status%22%20%0A%7C%20search%20%22Status%22=%22$click.value$%22%20%0A%7C%20stats%20count%20by%20status,aaa&amp;earliest=-24h@h&amp;latest=now</link>

PS: index=* sourcetype=* seems very expensive call unless it is just for example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nivethainspire_ · ‎03-20-2020

It worked. Thanks. But I added below query, again I faced the same issue.Can you convert the below snippet to case sencitive?.Thanks in advance
| eval Date=strftime(strptime(Date,"%Y-%m-%d %H:%M:%S.%Q"),"%Y-%m-%d")

niketn · ‎03-20-2020

Try the html encoding for % as the same character was failing for like() function as well.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

onclick Drilldown not working

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout