Splunk Search

Drill down with transpose not working as expected to fetch the row and colomn values

a508184
Explorer

Drill down with transpose not working as expected to fetch the row and colomn values, as its not giving me the accurate results, not sure if this is related to transpose.

index=wso2 source="/opt/log.txt" "Count_Reportings"
| fields api-rep rsp_time mguuid
| bin _time span=1d
| stats values(*) as * by _time, mguuid
| eval onesec=if(rsp_time<=1000,1,0)
| eval threesec=if(rsp_time>1000 and rsp_time<=3000,1,0)
| eval threesecGT=if(rsp_time>3000,1,0)
| eval Total = onesec + threesec + threesecGT
| stats sum(onesec) as sumonesec sum(threesec) as sumthreesec sum(threesecGT) as sumthreesecGT sum(Total) as sumtotal by api-rep, _time
| eval good = if(api-rep="High", sumonesec + sumthreesec, if(api-rep="Medium", sumonesec + sumthreesec, if(api-rep="Low", sumonesec, null())))
| eval per_call=if(api-rep="High", (good / sumtotal) * 100, if(api-rep="Medium" , (good / sumtotal) * 100, if(api-rep="Low" , (good / sumtotal) * 100, null())))
| eval per_cal=round(per_call,2)
| timechart span=1d avg(per_cal) by api-rep
| eval time=strftime(_time, "%Y-%m-%d")
| fields - _time _span _spandays
| fillnull value=0
| transpose 0 header_field=time column_name=APIs include_empty=true


Below is the output for the above query, when i click on the 99.93 then need to pick GOOD and colomn header 2024-06-30 and pass it in the drilldown query

a508184_0-1719947387296.png

When i click on 99.93 from colomn 2024-06-30 it gives me below output, its not giving me the row values as Good.

a508184_1-1719947463475.png


Below are the drildown tokens.

tokClickValue1 = $click.value$
tokClickName1 = $click.name$
tokClickValue2 = $click.value2$
tokClickName2 = $click.name2$
tokApi = $row.APIs$

i want token to fetch header and APIs values to pass it to drilldown query. 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

2024-06-30 should be name2 and good should be value

namename2
valuevalue2

View solution in original post

0 Karma

a508184
Explorer

Its working with your solution. @ITWhisperer  Thanks for your help.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

In your API column example, how are you assigning the tokApi token to the API column?

I assume you are doing something like

| makeresults
| eval API=$tokApi|s$
...

At least that is what you _should_ be doing... 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

2024-06-30 should be name2 and good should be value

namename2
valuevalue2
0 Karma

a508184
Explorer

Name2 is giving me the 1988, not sure if its converting.

a508184_0-1719952255370.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are you using Classic or Studio?

Please share significant part of your dashboard source in a code block to make reading easier

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...