Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Click Selection not working.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have a code, that uses the output to fetch data from another Panel.
First Panel
<title>Juniper Mnemonics</title>
<table>
<search>
<query>index=nw_syslog
| search hostname="*DCN*"
| stats count by cisco_mnemonic, hostname
| sort - count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$click.value$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$click.value$</set>
</condition>
<condition field="count"></condition>
</drilldown>
</table>
From this panel 2 contents are fetched for second panel search.
Second Panel
index=nw_syslog
| search hostname="*DCN*"
| search cisco_mnemonic="$message_token$"
| search hostname="$hostname_token$"
| stats count by message
| sort - count
Issue:
When ever i click the first panel table.( given ROW as Click Selection). its not getting fetching correctly.
Only fetching "cisco_mnemonic" only for both cisco_mnemonic and hostname. Please guide me how can i get both in single click.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the root cause of the problem is setting each token to the same value ($click.value$). Have you tried something like this?
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$row.cisco_mnemonic$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$row.hostname$</set>
</condition>
<condition field="count"></condition>
</drilldown>If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jerinvarghese Change your drilldown tag in the first panel as shown below:
<drilldown>
<set token="message_token">$row.cisco_mnemonic$</set>
<set token="hostname_token">$row.hostname$</set>
</drilldown>
If this didn't work you must also try the solution given by @richgalloway
Also if this reply helped you in solving your problem, an up-vote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the root cause of the problem is setting each token to the same value ($click.value$). Have you tried something like this?
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$row.cisco_mnemonic$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$row.hostname$</set>
</condition>
<condition field="count"></condition>
</drilldown>If this reply helps you, Karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
