Splunk Search

Basic Drill Down

jepoyyyy
Explorer

Good day Splunkers.

Splunk newbie here, I have been testing it for a few days already. I can now create searches and dashboards based on saved searches. However, I am having trouble in making 'drill down' to work. For example, I have a pie chart on panel 1 of my dashboard that is drill down enabled.. When I click on a piece, it still opens a new window instead of passing it to the panel below. I already followed the instructions in http://www.splunk.com/base/Documentation/latest/User/UnderstandTableandChartDrilldownActions#Advance... but I might be missing something.

Any example / link regarding this would highly be appreciated.

Thank you in advanced

regards,
jeff

Tags (3)
0 Karma
1 Solution

NOUMSSI
Builder

Hi,
Here is and example of drill down vizualisation of table to colum chart:

<form>
    <label>In-Page Drilldown with Perma-linking</label>
    <fieldset submitButton="false">
        <!--
            Create an input to store the drilldown value. It will be hidden using custom javascript when
            the dashboard is loaded.
         -->
        <input type="text" token="sourcetype" searchWhenChanged="true" />
    </fieldset>
    <row>
        <table id="master">

            <searchString>index=_internal | stats count by sourcetype</searchString>
            <earliestTime>-60m@m</earliestTime>
            <latestTime>now</latestTime>
            <!-- Set the type of of drilldown, since we will always consume the same field, use row-->
            <option name="drilldown">row</option>
            <drilldown>
                <!-- Use set to specify the new token to be created.
                     Use any token from the page or from the click event to produce the value needed. -->
                <set token="sourcetype">$row.sourcetype$</set>
                <!-- If we also set the form.sourcetype the input will get updated too -->
                <set token="form.sourcetype">$row.sourcetype$</set>
            </drilldown>
        </table>
    </row>
    <row>
        <!-- depends is the way we tell the content to only show when the token has a value.
             Hint: use comma separated values if the element requires more than one token. -->
        <chart id="detail" depends="$sourcetype$">

            <searchTemplate>index=_internal sourcetype=$sourcetype$ | timechart count</searchTemplate>
            <earliestTime>-60m@m</earliestTime>
            <latestTime>now</latestTime>
        </chart>
    </row>
</form>

If you want pie visualisation, just replace this mark

<table>
  ...
</table>

by this

    <chart>
      ...
    </chart>

and inside of that mark put this code:

<option name="charting.chart">pie</option>

You can add others options in that mark

View solution in original post

krishnacasso
Path Finder

There are various ways to specify a destination with the tag. Here is the syntax for specifying a destination in a variety of scenarios:

  1. Use a relative path to connect to a dashboard.
  2. Use a relative path to connect to a form, passing in a token to populate the form.
  3. Pass in the earliest and latest time range from the original search. (Requires use of CDATA, as indicated in the following sections.)
  4. Use a URL and query argument to pass a value to the destination page

1) path/viewname
2) path/viewname?form.token=$dest_value$
3) path/viewname?form.token=$dest_value$&earliest=$earliest$&latest=$latest$
4) URL?q=$dest_value$

0 Karma

NOUMSSI
Builder

Hi,
Here is and example of drill down vizualisation of table to colum chart:

<form>
    <label>In-Page Drilldown with Perma-linking</label>
    <fieldset submitButton="false">
        <!--
            Create an input to store the drilldown value. It will be hidden using custom javascript when
            the dashboard is loaded.
         -->
        <input type="text" token="sourcetype" searchWhenChanged="true" />
    </fieldset>
    <row>
        <table id="master">

            <searchString>index=_internal | stats count by sourcetype</searchString>
            <earliestTime>-60m@m</earliestTime>
            <latestTime>now</latestTime>
            <!-- Set the type of of drilldown, since we will always consume the same field, use row-->
            <option name="drilldown">row</option>
            <drilldown>
                <!-- Use set to specify the new token to be created.
                     Use any token from the page or from the click event to produce the value needed. -->
                <set token="sourcetype">$row.sourcetype$</set>
                <!-- If we also set the form.sourcetype the input will get updated too -->
                <set token="form.sourcetype">$row.sourcetype$</set>
            </drilldown>
        </table>
    </row>
    <row>
        <!-- depends is the way we tell the content to only show when the token has a value.
             Hint: use comma separated values if the element requires more than one token. -->
        <chart id="detail" depends="$sourcetype$">

            <searchTemplate>index=_internal sourcetype=$sourcetype$ | timechart count</searchTemplate>
            <earliestTime>-60m@m</earliestTime>
            <latestTime>now</latestTime>
        </chart>
    </row>
</form>

If you want pie visualisation, just replace this mark

<table>
  ...
</table>

by this

    <chart>
      ...
    </chart>

and inside of that mark put this code:

<option name="charting.chart">pie</option>

You can add others options in that mark

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...