Splunk Search

Can you help me use the timechart command drilldown to a dependent dashboard?

pench2k19
Explorer

Hi Guys,

I have built a dashboard panel with a timechart command and then used the search command. The search results are as follows:

command :

index=XXX  source=XXX |rex "info\s:\s\+{4}\s(?\w+)\s\+{4}\sJob run_ingest_(?\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?\w{2,5})_(?\w+)$$"  |timechart  count(data_feed_name) as datafeed_count by feed_status

search result:

_time   COMPLETED   FAILED  STARTED
2019-01-21  4          5           9
2019-01-22  0          4          0
2019-01-23  3          9           12
2019-01-24  0          0            0

And now, I need your help in putting a drilldown in the dashboard with the list of jobs, which are failed/completed/started, when they click on any particular value.

Could you please help me in this?

0 Karma
1 Solution

vnravikumar
Champion

Hi @pench2k19

Please try, here job contains failed/completed/started and value contains corresponding clicked value

        <drilldown>
          <link target="_blank">/app/search/checkbox?job=$click.name2$&amp;value=$click.value2$</link>
        </drilldown>

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Thanks for asking me for help but I must apologize because I’m currently occupied.

Looks like you’re getting plenty of help though. @woodcock has a great suggestion; I would start there.

Good luck!

0 Karma

woodcock
Esteemed Legend

Have you looked at the Splunk Dashbaord Examples app? It has examples like this with explanations that you can copy:
https://splunkbase.splunk.com/app/1603/

0 Karma

vnravikumar
Champion

Hi @pench2k19

Please try, here job contains failed/completed/started and value contains corresponding clicked value

        <drilldown>
          <link target="_blank">/app/search/checkbox?job=$click.name2$&amp;value=$click.value2$</link>
        </drilldown>
0 Karma

pench2k19
Explorer

thanks for the response @vnravikumar ...so you mean i dont need to create the two tokens in edit drilldown option?.... the following is the XML i have got in the background

<panel>
  <title>Trend Analysis</title>
  <input type="radio" token="period_tok" searchWhenChanged="true">
    <label>Select a Time Range</label>
    <choice value="-24h@h">Last 24 Hours</choice>
    <choice value="-7d@h">Last  7 Days</choice>
    <choice value="-30d@h">Last 30 Days</choice>
    <choice value="-60d@h">Last 60 Days</choice>
    <default>-24h@h</default>
    <initialValue>-24h@h</initialValue>
  </input>
  <chart>
    <title>Data feed status Trend</title>
    <search>
      <query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?&lt;feed_status&gt;\w+)\s\+{4}\sJob run_ingest_(?&lt;Datafeed_name&gt;\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?&lt;SOR&gt;\w{2,5})_(?&lt;data_feed_name&gt;\w+)$$"  |timechart  count(data_feed_name) as datafeed_count by feed_status</query>
      <earliest>-7d@h</earliest>
      <latest>now</latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.stackMode">stacked</option>
    <option name="charting.drilldown">all</option>
    <option name="refresh.display">progressbar</option>
    <drilldown>
      <set token="feedstatus">$row.feed_status$</set>
    </drilldown>
  </chart>
</panel>


<panel depends="$feeddata$">
  <title>Data Feed details</title>
  <table>
    <title>Feed Details</title>
    <search>
      <query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?&lt;feed_status&gt;\w+)\s\+{4}\sJob run_ingest_(?&lt;Datafeed_name&gt;\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?&lt;SOR&gt;\w{2,5})_(?&lt;data_feed_name&gt;\w+)$$"  |where feed_status=$feedstatus$ |table data_feed_name feed_status</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">cell</option>
    <option name="refresh.display">progressbar</option>
    <drilldown>
       <link target="_blank">/app/search/checkbox?feed_status=$click.name2$&amp;value=$click.value2$</link>
     </drilldown>
  </table>
</panel>

@jkat54 , can you please look at this if you can help

0 Karma

vnravikumar
Champion

Hi @pench2k19

Try it

<panel>
   <title>Trend Analysis</title>
   <input type="radio" token="period_tok" searchWhenChanged="true">
     <label>Select a Time Range</label>
     <choice value="-24h@h">Last 24 Hours</choice>
     <choice value="-7d@h">Last  7 Days</choice>
     <choice value="-30d@h">Last 30 Days</choice>
     <choice value="-60d@h">Last 60 Days</choice>
     <default>-24h@h</default>
     <initialValue>-24h@h</initialValue>
   </input>
   <chart>
     <title>Data feed status Trend</title>
     <search>
       <query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?&lt;feed_status&gt;\w+)\s\+{4}\sJob run_ingest_(?&lt;Datafeed_name&gt;\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?&lt;SOR&gt;\w{2,5})_(?&lt;data_feed_name&gt;\w+)$$"  |timechart  count(data_feed_name) as datafeed_count by feed_status</query>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </search>
     <option name="charting.chart">column</option>
     <option name="charting.chart.showDataLabels">all</option>
     <option name="charting.chart.stackMode">stacked</option>
     <option name="charting.drilldown">all</option>
     <option name="refresh.display">progressbar</option>
     <drilldown>
          <set token="feedstatus">$click.name2$</set>
        </drilldown>
   </chart>
 </panel>


 <panel depends="$feeddata$">
   <title>Data Feed details</title>
   <table>
     <title>Feed Details</title>
     <search>
       <query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?&lt;feed_status&gt;\w+)\s\+{4}\sJob run_ingest_(?&lt;Datafeed_name&gt;\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?&lt;SOR&gt;\w{2,5})_(?&lt;data_feed_name&gt;\w+)$$"  |where feed_status=$feedstatus$ |table data_feed_name feed_status</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>
     <option name="count">10</option>
     <option name="drilldown">none</option>
     <option name="refresh.display">progressbar</option>
   </table>
 </panel>
0 Karma

pench2k19
Explorer

no luck 😞 @vnravikumar

0 Karma

pench2k19
Explorer

now the drilldown itself not working when it is not in edit mode...before i post the question here it was showing no results and it shwoing only in edit mode...and the $feeddata$ it was showing the same as token as $row.feed_status$....

0 Karma

vnravikumar
Champion

I guess you are trying to show table only onclick of chart in that case, instead of <panel depends="$feeddata$"> use <panel depends="$feedstatus$"

0 Karma

pench2k19
Explorer

yes i m trying to show a table with the list of jobs when the user clicks on timechart....

0 Karma

vnravikumar
Champion

And modify where to |where feed_status="$feedstatus$"

0 Karma

pench2k19
Explorer

yes this is working...but i m expecting the drilldown table visible only when a user click on some value...but it is displaying even when i m not clicked on anything with no results...i want to make it invisible when i didnt click on anything...

0 Karma

vnravikumar
Champion

Please open the dashboard in a new window/tab and check.

0 Karma

pench2k19
Explorer

ok..i just noticed that its showing the values for all the dates..ie. the same count for each status for everyday...do you need to add one more token?

0 Karma

vnravikumar
Champion

In Chart query you had hardcoded -7d@h
<latest>now</latest>
. And reset the token feedstatus accordingly to hide table when you do new search.

0 Karma

pench2k19
Explorer

what should i replace it with then....dont we neeed to create another token for time inorder to get the different results

0 Karma

vnravikumar
Champion

you need to pass timepicker's token earliest and latest there.

0 Karma

pench2k19
Explorer

i dont get you...can you please paste the code here what you are thinking

0 Karma

vnravikumar
Champion
<earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>
0 Karma

vnravikumar
Champion

I hope drilldown is working, please accept the solution.

0 Karma

vnravikumar
Champion

I hope you will do this.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...