Hi Guys,
I have built a dashboard panel with a timechart command and then used the search command. The search results are as follows:
command :
index=XXX source=XXX |rex "info\s:\s\+{4}\s(?\w+)\s\+{4}\sJob run_ingest_(?\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?\w{2,5})_(?\w+)$$" |timechart count(data_feed_name) as datafeed_count by feed_status
search result:
_time COMPLETED FAILED STARTED
2019-01-21 4 5 9
2019-01-22 0 4 0
2019-01-23 3 9 12
2019-01-24 0 0 0
And now, I need your help in putting a drilldown in the dashboard with the list of jobs, which are failed/completed/started, when they click on any particular value.
Could you please help me in this?
Hi @pench2k19
Please try, here job
contains failed/completed/started
and value
contains corresponding clicked value
<drilldown>
<link target="_blank">/app/search/checkbox?job=$click.name2$&value=$click.value2$</link>
</drilldown>
Thanks for asking me for help but I must apologize because I’m currently occupied.
Looks like you’re getting plenty of help though. @woodcock has a great suggestion; I would start there.
Good luck!
Have you looked at the Splunk Dashbaord Examples
app? It has examples like this with explanations that you can copy:
https://splunkbase.splunk.com/app/1603/
Hi @pench2k19
Please try, here job
contains failed/completed/started
and value
contains corresponding clicked value
<drilldown>
<link target="_blank">/app/search/checkbox?job=$click.name2$&value=$click.value2$</link>
</drilldown>
thanks for the response @vnravikumar ...so you mean i dont need to create the two tokens in edit drilldown option?.... the following is the XML i have got in the background
<panel>
<title>Trend Analysis</title>
<input type="radio" token="period_tok" searchWhenChanged="true">
<label>Select a Time Range</label>
<choice value="-24h@h">Last 24 Hours</choice>
<choice value="-7d@h">Last 7 Days</choice>
<choice value="-30d@h">Last 30 Days</choice>
<choice value="-60d@h">Last 60 Days</choice>
<default>-24h@h</default>
<initialValue>-24h@h</initialValue>
</input>
<chart>
<title>Data feed status Trend</title>
<search>
<query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?<feed_status>\w+)\s\+{4}\sJob run_ingest_(?<Datafeed_name>\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?<SOR>\w{2,5})_(?<data_feed_name>\w+)$$" |timechart count(data_feed_name) as datafeed_count by feed_status</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="feedstatus">$row.feed_status$</set>
</drilldown>
</chart>
</panel>
<panel depends="$feeddata$">
<title>Data Feed details</title>
<table>
<title>Feed Details</title>
<search>
<query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?<feed_status>\w+)\s\+{4}\sJob run_ingest_(?<Datafeed_name>\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?<SOR>\w{2,5})_(?<data_feed_name>\w+)$$" |where feed_status=$feedstatus$ |table data_feed_name feed_status</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/search/checkbox?feed_status=$click.name2$&value=$click.value2$</link>
</drilldown>
</table>
</panel>
@jkat54 , can you please look at this if you can help
Hi @pench2k19
Try it
<panel>
<title>Trend Analysis</title>
<input type="radio" token="period_tok" searchWhenChanged="true">
<label>Select a Time Range</label>
<choice value="-24h@h">Last 24 Hours</choice>
<choice value="-7d@h">Last 7 Days</choice>
<choice value="-30d@h">Last 30 Days</choice>
<choice value="-60d@h">Last 60 Days</choice>
<default>-24h@h</default>
<initialValue>-24h@h</initialValue>
</input>
<chart>
<title>Data feed status Trend</title>
<search>
<query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?<feed_status>\w+)\s\+{4}\sJob run_ingest_(?<Datafeed_name>\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?<SOR>\w{2,5})_(?<data_feed_name>\w+)$$" |timechart count(data_feed_name) as datafeed_count by feed_status</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="feedstatus">$click.name2$</set>
</drilldown>
</chart>
</panel>
<panel depends="$feeddata$">
<title>Data Feed details</title>
<table>
<title>Feed Details</title>
<search>
<query>index=bp_ede_om_mbda source="/apps/dat/aasmbdap/prod/admin/mbda/mbda_src/mbda_src_*/log/run_ingest_all_feeds_*_*.log" |rex "info\s:\s\+{4}\s(?<feed_status>\w+)\s\+{4}\sJob run_ingest_(?<Datafeed_name>\w+)-" |where Datafeed_name!=""|dedup Datafeed_name feed_status |eval Datafeed_name = substr(Datafeed_name, 1, len(Datafeed_name)-5)|rex field=Datafeed_name "^(?<SOR>\w{2,5})_(?<data_feed_name>\w+)$$" |where feed_status=$feedstatus$ |table data_feed_name feed_status</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
no luck 😞 @vnravikumar
now the drilldown itself not working when it is not in edit mode...before i post the question here it was showing no results and it shwoing only in edit mode...and the $feeddata$ it was showing the same as token as $row.feed_status$....
I guess you are trying to show table only onclick of chart in that case, instead of <panel depends="$feeddata$">
use <panel depends="$feedstatus$"
yes i m trying to show a table with the list of jobs when the user clicks on timechart....
And modify where to |where feed_status="$feedstatus$"
yes this is working...but i m expecting the drilldown table visible only when a user click on some value...but it is displaying even when i m not clicked on anything with no results...i want to make it invisible when i didnt click on anything...
Please open the dashboard in a new window/tab and check.
ok..i just noticed that its showing the values for all the dates..ie. the same count for each status for everyday...do you need to add one more token?
In Chart query you had hardcoded -7d@h
. And reset the token
<latest>now</latest>feedstatus
accordingly to hide table when you do new search.
what should i replace it with then....dont we neeed to create another token for time inorder to get the different results
you need to pass timepicker's token earliest and latest there.
i dont get you...can you please paste the code here what you are thinking
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
I hope drilldown is working, please accept the solution.
I hope you will do this.