Splunk Enterprise

Splunk Drill Down Option Issue

kaushal21rajput
New Member

Hi ,

I am trying to create a dashboard for Error OR fail* from application logs. There are three hosts from where data is reporting to splunk instance.
Now i have run search query Error OR fail* and from output result created three dashboards in single.
1. Pie chart shows count for all hosts
2. Total Number of events that have Error or fail*
3. Events for all hosts that have Error or fail*

I have 1 dropbox as well which have all three hosts. I have defined a token value "drop_box" and pass that value in search of each dashboard. Now when i am selecting any host ,data from all three dashboard shown for that host only.

alt text

Now my requirement is , when i will click pie chart for a particular host, i should get the data for that host only but i am not getting this and it shows error "could not create search". below is code.

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@kaushal21rajput,

Made the following changes to the dashboard.

  • Removed the host filter - you could uncomment the block if you still need it
  • Set the token on the click of pie and added the token to other rows

Try this and lets know whats missing.

<dashboard>
  <label>Error OR Fail</label>
  <!--
  <fieldset submitButton="false">
    <input type="dropdown" token="drop_down" searchWhenChanged="true">
     <label>Select host</label>
     <choice value="*">alll</choice>
     <choice value="blankrhel6">host1</choice>
     <choice value="searchhead">host2</choice>
     <choice value="tip">host3</choice>
     <fieldForLabel>here is output</fieldForLabel>
     <fieldForValue>check</fieldForValue>
     <default>*</default>
   </input>
  </fieldset>
  -->
  <row>
    <panel>
      <chart>
        <search>
          <query>Error OR Fail host=*| stats count by host</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <!-- SET THE TOKEN host_from_pie TO CLICKED VALUE OF PIE-->
        <drilldown>
          <set token="host_from_pie">$click.value$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <!-- Hide this once the user clicks on the pie chart -->
  <row rejects="$host_from_pie$">
    <html>
      <h5 align="center">Click on the pie to get details of host</h5>
    </html>
  </row>
  <row>
    <panel depends="$host_from_pie$"> <!-- ADDED A DEPENDENCY ON THE TOKEN SO THAT THE PANELS WILL BE DISPLAYED ONLY WHEN THE TOKEN IS SET -->
      <single>
        <title>Total Event</title>
        <search>
          <query>Error OR Fail host=$host_from_pie$ | stats count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">92</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel depends="$host_from_pie$"> <!-- ADDED A DEPENDENCY ON THE TOKEN SO THAT THE PANELS WILL BE DISPLAYED ONLY WHEN THE TOKEN IS SET -->
      <event>
        <search>
          <query>Error OR fail* host=$host_from_pie$</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="raw.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">none</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</dashboard>
Happy Splunking!
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@kaushal21rajput, does it work for you ?

Happy Splunking!
0 Karma

kaushal21rajput
New Member

Below is XML code-

Error or fail

<input type="dropdown" token="drop_down" searchWhenChanged="true">
  <label>Select host</label>
  <choice value="*">alll</choice>
  <choice value="blankrhel6">host1</choice>
  <choice value="searchhead">host2</choice>
  <choice value="tip">host3</choice>
  <fieldForLabel>here is output</fieldForLabel>
  <fieldForValue>check</fieldForValue>
  <search>
    <query>Error OR fail* | stats count by $drop_dowm$</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
  <default>*</default>
</input>


<panel>
  <chart>
    <search>
      <query>Error OR Fail host = $drop_down$| stats count by host</query>
      <earliest>0</earliest>
      <latest></latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.abbreviation">none</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.abbreviation">none</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.abbreviation">none</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.mode">standard</option>
    <option name="charting.legend.placement">right</option>
    <option name="charting.lineWidth">2</option>
    <option name="refresh.display">progressbar</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <drilldown>
      <link target="_blank">/app/search/error_or_fail?form.$drop_down$=$click.value$</link>
    </drilldown>
  </chart>
</panel>


<panel>
  <single>
    <title>Total Event</title>
    <search>
      <query>Error OR Fail host =$drop_down$ | stats count</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="drilldown">none</option>
    <option name="height">92</option>
    <option name="refresh.display">progressbar</option>
  </single>
</panel>


<panel>
  <event>
    <search>
      <query>Error OR fail* host="$drop_down$"</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="list.drilldown">none</option>
    <option name="list.wrap">1</option>
    <option name="raw.drilldown">none</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">none</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
  </event>
</panel>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...