- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- onclick Drilldown not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I click the chart my drilldown down is not working. But when I remove the "|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")" eval function. It works fine. Can anyone help me with the issue.
Below is my code snippet.
<table>
<title>status</title>
<search>
<query>index=* sourcetype=*|fillnull value=""|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")|search $aaa$ | rename status as "Status"|stats count by "Status"|eventstats sum(*) as sum_* |foreach * [eval "%"=round((count/sum_count)*100,2)]|rename count as Count|fields - sum_count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
<format type="color" field="status">
</format>
<drilldown>
<link target="_blank">search?q=index=*sourcetype=*|fillnull value=""|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")|search $aaa$ |rename status as "Status" |search "Status"="$click.value$"|stats count by status,aaa&earliest=-24h@h&latest=now</link>
</drilldown>
</table>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nivethainspire_07 try the following for drilldown link to search. (PS: used match instead of link. By default it is case insensitive but it can be made case sensitive if required).
<link target="_blank">search?q=index=*%20sourcetype=*%20%0A%7C%20fillnull%20value=%22%22%20%0A%7C%20eval%20AAA=case(match(o,%22Win%22),%22Win%22,match(o,%22Lin%22),%22Linux%22,match(o,%22Missing%22),%22Others%22,match(o,%22So%22),%22Sol%22,match(o,%22AIX%22),%22AIX%22,1=1,%22Others%22)%20%0A%7C%20search%20$aaa$%20%0A%7C%20rename%20status%20as%20%22Status%22%20%0A%7C%20search%20%22Status%22=%22$click.value$%22%20%0A%7C%20stats%20count%20by%20status,aaa&earliest=-24h@h&latest=now</link>
PS: index=* sourcetype=* seems very expensive call unless it is just for example.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nivethainspire_07 try the following for drilldown link to search. (PS: used match instead of link. By default it is case insensitive but it can be made case sensitive if required).
<link target="_blank">search?q=index=*%20sourcetype=*%20%0A%7C%20fillnull%20value=%22%22%20%0A%7C%20eval%20AAA=case(match(o,%22Win%22),%22Win%22,match(o,%22Lin%22),%22Linux%22,match(o,%22Missing%22),%22Others%22,match(o,%22So%22),%22Sol%22,match(o,%22AIX%22),%22AIX%22,1=1,%22Others%22)%20%0A%7C%20search%20$aaa$%20%0A%7C%20rename%20status%20as%20%22Status%22%20%0A%7C%20search%20%22Status%22=%22$click.value$%22%20%0A%7C%20stats%20count%20by%20status,aaa&earliest=-24h@h&latest=now</link>
PS: index=* sourcetype=* seems very expensive call unless it is just for example.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked. Thanks. But I added below query, again I faced the same issue.Can you convert the below snippet to case sencitive?.Thanks in advance
| eval Date=strftime(strptime(Date,"%Y-%m-%d %H:%M:%S.%Q"),"%Y-%m-%d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the html encoding for % as the same character was failing for like() function as well.
| makeresults | eval message= "Happy Splunking!!!"
Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)
Tech Talk | One Log to Rule Them All
Splunk Security Content for Threat Detection & Response, Q1 Roundup
