Re: creating drilldown panel based on the selected...

ManishVilla7 · ‎12-04-2019

I want to create a drilldown panel that will run different searches based on the value selected i.e. $click.value$.

search for panel 1 is something like-
my query| top sourcetype
user will click on a sourcetype and then a new panel will come up and i want to give a table with relevant fields based on the selected sourcetype. For example, if the selected sourcetype is firewall, we need to give src dest session_id etc and if the sourcetype is mailbox we need to give sender_email_id receiver_email_id etc.

So, i want to execute table command in my panel 2 based on the sourcetype under consideration.

@somesoni2 @woodcock @gcusello @mayurr98 @rmmiller please help!!

vnravikumar · ‎12-04-2019

Hi

Try this

<dashboard>
  <label>drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |top sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="sourcetype">$row.sourcetype$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$sourcetype$">
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype="$sourcetype$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

ManishVilla7 · ‎12-04-2019

we have to execute different table commands based on the value of the sourcetype, this is just passing sourcetype. I want that if the value of $sourcetype$ is ! then table A runs in panel 2, if sourcetype is B then table B runs.

vnravikumar · ‎12-05-2019

Hi

Check this

<dashboard>
  <label>drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |top sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <condition match="'row.sourcetype' == &quot;mongod&quot;">
            <set token="sourcetype">$row.sourcetype$</set>
            <set token="table">|table date_hour,date_mday,date_second</set>
          </condition>
           <condition match="'row.sourcetype' == &quot;splunkd&quot;">
            <set token="sourcetype">$row.sourcetype$</set>
            <set token="table">|table group,name</set>
          </condition>
          <condition></condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$sourcetype$">
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype="$sourcetype$" $table$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

creating drilldown panel based on the selected value in $click.value$

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation