Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Click Selection not working.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have a code, that uses the output to fetch data from another Panel.
First Panel
<title>Juniper Mnemonics</title>
<table>
<search>
<query>index=nw_syslog
| search hostname="*DCN*"
| stats count by cisco_mnemonic, hostname
| sort - count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$click.value$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$click.value$</set>
</condition>
<condition field="count"></condition>
</drilldown>
</table>
From this panel 2 contents are fetched for second panel search.
Second Panel
index=nw_syslog
| search hostname="*DCN*"
| search cisco_mnemonic="$message_token$"
| search hostname="$hostname_token$"
| stats count by message
| sort - count
Issue:
When ever i click the first panel table.( given ROW as Click Selection). its not getting fetching correctly.
Only fetching "cisco_mnemonic" only for both cisco_mnemonic and hostname. Please guide me how can i get both in single click.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the root cause of the problem is setting each token to the same value ($click.value$). Have you tried something like this?
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$row.cisco_mnemonic$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$row.hostname$</set>
</condition>
<condition field="count"></condition>
</drilldown>If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jerinvarghese Change your drilldown tag in the first panel as shown below:
<drilldown>
<set token="message_token">$row.cisco_mnemonic$</set>
<set token="hostname_token">$row.hostname$</set>
</drilldown>
If this didn't work you must also try the solution given by @richgalloway
Also if this reply helped you in solving your problem, an up-vote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the root cause of the problem is setting each token to the same value ($click.value$). Have you tried something like this?
<drilldown>
<condition field="cisco_mnemonic">
<set token="message_token">$row.cisco_mnemonic$</set>
</condition>
<condition field="hostname">
<set token="hostname_token">$row.hostname$</set>
</condition>
<condition field="count"></condition>
</drilldown>If this reply helps you, Karma would be appreciated.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
