Solved: Re: Can you help me use the timechart command dril...

pench2k19 · ‎01-28-2019

Hi Guys,

I have built a dashboard panel with a timechart command and then used the search command. The search results are as follows:

command :

index=XXX  source=XXX |rex "info\s:\s\+{4}\s(?\w+)\s\+{4}\sJob run_ingest_(?\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?\w{2,5})_(?\w+)$$"  |timechart  count(data_feed_name) as datafeed_count by feed_status

search result:

_time   COMPLETED   FAILED  STARTED
2019-01-21  4          5           9
2019-01-22  0          4          0
2019-01-23  3          9           12
2019-01-24  0          0            0

And now, I need your help in putting a drilldown in the dashboard with the list of jobs, which are failed/completed/started, when they click on any particular value.

Could you please help me in this?

vnravikumar · ‎01-28-2019

Hi @pench2k19

Please try, here job contains failed/completed/started and value contains corresponding clicked value

        <drilldown>
          <link target="_blank">/app/search/checkbox?job=$click.name2$&amp;value=$click.value2$</link>
        </drilldown>

View solution in original post

jkat54 · ‎01-28-2019

Thanks for asking me for help but I must apologize because I’m currently occupied.

Looks like you’re getting plenty of help though. @woodcock has a great suggestion; I would start there.

Good luck!

woodcock · ‎01-28-2019

Have you looked at the Splunk Dashbaord Examples app? It has examples like this with explanations that you can copy:
https://splunkbase.splunk.com/app/1603/

vnravikumar · ‎01-28-2019

Hi @pench2k19

Please try, here job contains failed/completed/started and value contains corresponding clicked value

        <drilldown>
          <link target="_blank">/app/search/checkbox?job=$click.name2$&amp;value=$click.value2$</link>
        </drilldown>

pench2k19 · ‎01-28-2019

thanks for the response @vnravikumar ...so you mean i dont need to create the two tokens in edit drilldown option?.... the following is the XML i have got in the background

<panel>
  <title>Trend Analysis</title>
  <input type="radio" token="period_tok" searchWhenChanged="true">
    <label>Select a Time Range</label>
    <choice value="-24h@h">Last 24 Hours</choice>
    <choice value="-7d@h">Last  7 Days</choice>
    <choice value="-30d@h">Last 30 Days</choice>
    <choice value="-60d@h">Last 60 Days</choice>
    <default>-24h@h</default>
    <initialValue>-24h@h</initialValue>
  </input>
  <chart>
    <title>Data feed status Trend</title>
    <search>
      <query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?&lt;feed_status&gt;\w+)\s\+{4}\sJob run_ingest_(?&lt;Datafeed_name&gt;\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?&lt;SOR&gt;\w{2,5})_(?&lt;data_feed_name&gt;\w+)$$"  |timechart  count(data_feed_name) as datafeed_count by feed_status</query>
      <earliest>-7d@h</earliest>
      <latest>now</latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.stackMode">stacked</option>
    <option name="charting.drilldown">all</option>
    <option name="refresh.display">progressbar</option>
    <drilldown>
      <set token="feedstatus">$row.feed_status$</set>
    </drilldown>
  </chart>
</panel>


<panel depends="$feeddata$">
  <title>Data Feed details</title>
  <table>
    <title>Feed Details</title>
    <search>
      <query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?&lt;feed_status&gt;\w+)\s\+{4}\sJob run_ingest_(?&lt;Datafeed_name&gt;\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?&lt;SOR&gt;\w{2,5})_(?&lt;data_feed_name&gt;\w+)$$"  |where feed_status=$feedstatus$ |table data_feed_name feed_status</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">cell</option>
    <option name="refresh.display">progressbar</option>
    <drilldown>
       <link target="_blank">/app/search/checkbox?feed_status=$click.name2$&amp;value=$click.value2$</link>
     </drilldown>
  </table>
</panel>

@jkat54 , can you please look at this if you can help

vnravikumar · ‎01-28-2019

Hi @pench2k19

Try it

<panel>
   <title>Trend Analysis</title>
   <input type="radio" token="period_tok" searchWhenChanged="true">
     <label>Select a Time Range</label>
     <choice value="-24h@h">Last 24 Hours</choice>
     <choice value="-7d@h">Last  7 Days</choice>
     <choice value="-30d@h">Last 30 Days</choice>
     <choice value="-60d@h">Last 60 Days</choice>
     <default>-24h@h</default>
     <initialValue>-24h@h</initialValue>
   </input>
   <chart>
     <title>Data feed status Trend</title>
     <search>
       <query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?&lt;feed_status&gt;\w+)\s\+{4}\sJob run_ingest_(?&lt;Datafeed_name&gt;\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?&lt;SOR&gt;\w{2,5})_(?&lt;data_feed_name&gt;\w+)$$"  |timechart  count(data_feed_name) as datafeed_count by feed_status</query>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </search>
     <option name="charting.chart">column</option>
     <option name="charting.chart.showDataLabels">all</option>
     <option name="charting.chart.stackMode">stacked</option>
     <option name="charting.drilldown">all</option>
     <option name="refresh.display">progressbar</option>
     <drilldown>
          <set token="feedstatus">$click.name2$</set>
        </drilldown>
   </chart>
 </panel>


 <panel depends="$feeddata$">
   <title>Data Feed details</title>
   <table>
     <title>Feed Details</title>
     <search>
       <query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?&lt;feed_status&gt;\w+)\s\+{4}\sJob run_ingest_(?&lt;Datafeed_name&gt;\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?&lt;SOR&gt;\w{2,5})_(?&lt;data_feed_name&gt;\w+)$$"  |where feed_status=$feedstatus$ |table data_feed_name feed_status</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>
     <option name="count">10</option>
     <option name="drilldown">none</option>
     <option name="refresh.display">progressbar</option>
   </table>
 </panel>

pench2k19 · ‎01-28-2019

no luck 😞 @vnravikumar

pench2k19 · ‎01-28-2019

now the drilldown itself not working when it is not in edit mode...before i post the question here it was showing no results and it shwoing only in edit mode...and the $feeddata$ it was showing the same as token as $row.feed_status$....

vnravikumar · ‎01-28-2019

I guess you are trying to show table only onclick of chart in that case, instead of <panel depends="$feeddata$"> use <panel depends="$feedstatus$"

pench2k19 · ‎01-28-2019

yes i m trying to show a table with the list of jobs when the user clicks on timechart....

vnravikumar · ‎01-28-2019

And modify where to |where feed_status="$feedstatus$"

pench2k19 · ‎01-28-2019

yes this is working...but i m expecting the drilldown table visible only when a user click on some value...but it is displaying even when i m not clicked on anything with no results...i want to make it invisible when i didnt click on anything...

vnravikumar · ‎01-28-2019

Please open the dashboard in a new window/tab and check.

pench2k19 · ‎01-28-2019

ok..i just noticed that its showing the values for all the dates..ie. the same count for each status for everyday...do you need to add one more token?

vnravikumar · ‎01-28-2019

In Chart query you had hardcoded -7d@h <latest>now</latest>. And reset the token feedstatus accordingly to hide table when you do new search.

pench2k19 · ‎01-28-2019

what should i replace it with then....dont we neeed to create another token for time inorder to get the different results

vnravikumar · ‎01-28-2019

you need to pass timepicker's token earliest and latest there.

pench2k19 · ‎01-28-2019

i dont get you...can you please paste the code here what you are thinking

vnravikumar · ‎01-28-2019

<earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>

vnravikumar · ‎01-28-2019

I hope drilldown is working, please accept the solution.

vnravikumar · ‎01-28-2019

I hope you will do this.

Can you help me use the timechart command drilldown to a dependent dashboard?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor