Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Click Selection not working.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have a code, that uses the output to fetch data from another Panel.
First Panel
<title>Juniper Mnemonics</title>
<table>
<search>
<query>index=nw_syslog
| search hostname="*DCN*"
| stats count by cisco_mnemonic, hostname
| sort - count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$click.value$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$click.value$</set>
</condition>
<condition field="count"></condition>
</drilldown>
</table>
From this panel 2 contents are fetched for second panel search.
Second Panel
index=nw_syslog
| search hostname="*DCN*"
| search cisco_mnemonic="$message_token$"
| search hostname="$hostname_token$"
| stats count by message
| sort - count
Issue:
When ever i click the first panel table.( given ROW as Click Selection). its not getting fetching correctly.
Only fetching "cisco_mnemonic" only for both cisco_mnemonic and hostname. Please guide me how can i get both in single click.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the root cause of the problem is setting each token to the same value ($click.value$). Have you tried something like this?
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$row.cisco_mnemonic$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$row.hostname$</set>
</condition>
<condition field="count"></condition>
</drilldown>If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jerinvarghese Change your drilldown tag in the first panel as shown below:
<drilldown>
<set token="message_token">$row.cisco_mnemonic$</set>
<set token="hostname_token">$row.hostname$</set>
</drilldown>
If this didn't work you must also try the solution given by @richgalloway
Also if this reply helped you in solving your problem, an up-vote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the root cause of the problem is setting each token to the same value ($click.value$). Have you tried something like this?
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$row.cisco_mnemonic$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$row.hostname$</set>
</condition>
<condition field="count"></condition>
</drilldown>If this reply helps you, Karma would be appreciated.
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
