Solved: Re: Drilldown on results of a subsearch not workin...

doogan12 · ‎07-04-2017

Woodcock - As a new question to the previous one that you help resolve - do you have any idea why the drilldown isn't working? When I click on the results that the search produced, it shows and runs the search string of the original search instead of the results of the search - just like clicking the magnifying glass icon does. In the source code, drilldown is set to cell. Any thoughts?

cmerriman · ‎07-04-2017

To drilldown to another search, instead of more or less opening the current search, you need to use the drilldown node. http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/ContextualDrilldown
You'll need to add something like this:
<set token="new">$click.value$</set> </drilldown>
And then you need to create another panel with you new search with the new token in it to use as a filter. You can add depends="$new$" into the panel node to hide the panel until the token is set, if desired.

View solution in original post

woodcock · ‎12-09-2018

@doogan12, I did not see this until just now because you need prefix ids with the @ character (as in @woodcock). This will notify the user directly (like the notification that you should have just gotten).

cmerriman · ‎07-04-2017

To drilldown to another search, instead of more or less opening the current search, you need to use the drilldown node. http://docs.splunk.com/Documentation/Splunk/6.6.2/Viz/ContextualDrilldown
You'll need to add something like this:
<set token="new">$click.value$</set> </drilldown>
And then you need to create another panel with you new search with the new token in it to use as a filter. You can add depends="$new$" into the panel node to hide the panel until the token is set, if desired.

doogan12 · ‎07-05-2017

Not sure what happened, but when I clicked the value returned from the original search, a new panel popped up with unexpected data in it. When I clicked the magnifying glass to 'open in search' and see what the search looked like, the search string only had the word'NULL' in it and was looking for all occurrences of NULL in the past four hours. Any thoughts on what may have occurred with the new query?

cmerriman · ‎07-05-2017

Can you provide a sample of the xml so I can see where you placed the drilldown node and how you used the token in the new panel?

doogan12 · ‎07-05-2017

Sure, I hope it translates properly

  <title>ICID</title>
  <table>
    <title>ICID</title>
    <search>
      <query>index=primary sourcetype=email_server "$ip$" | stats count BY icid | table icid | format</query>
    </search>
    <drilldown>
      <set token="show_panel">true</set>
      <set token="retrieve">$click.value$</set>
    </drilldown>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
<panel depends="$retrieve$">
  <event>
    <title>Result of ICID search retrieval</title>
    <search>
      <query>index=primary sourcetype=email_server $retrieve$</query>
      <earliest>-4h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="count">5</option>
  </event>
</panel>

cmerriman · ‎07-05-2017

The table you have with the ICID is using format, which would come out with one row, one column with values similar to "ICID=x OR ICID=y...". Are you trying to select just one value of ICID? You'd need to remove the format command and create an actual table.

doogan12 · ‎07-05-2017

Actually, no. I want to just click the 'OR'd results. The format command looks like it is working the way I would need it to, especially when there are multiple ICID's from a particular event. Let's say there are 10 ICID's that were found with the initial search. Having them strung together with an OR should show the search thus: icid=123456 OR icid=234567 OR icid-345678, etc. If I go to an actual table, I'd only be able to click one at a time, and if there are 100's or thousands of icid's...you get the picture.

But what I have in that query with the token $retrieve$ is returning a search with the word NULL in it.

cmerriman · ‎07-06-2017

do you really need to have this icid=123456 OR icid=134567... in a table a clicking it or can you just show the table that would have these search results in it?

 <panel>
   <event>
     <title>Result of ICID search retrieval</title>
     <search>
       <query>index=primary sourcetype=email_server [search index=primary sourcetype=email_server "$ip$" | stats count BY icid | table icid | format] </query>
       <earliest>-4h@h</earliest>
       <latest>now</latest>
     </search>
     <option name="count">5</option>
   </event>
 </panel>

doogan12 · ‎07-06-2017

If they were just laid out neatly in a table, would they be interactive or would they return a NULL?

cmerriman · ‎07-06-2017

i figured it out. change $click.value$ to $click.value2$ when you're setting the retrieve token. that should fix the problem.
here are event token definitions:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Viz/EventHandlerReference#Drilldown_event_tokens

doogan12 · ‎07-06-2017

Sounds great! I'll give that a try. Thank you, cmerriman!

doogan12 · ‎07-09-2017

Yes, it is working like I envisioned it would. Thanks for your advice.

cmerriman · ‎07-04-2017

Could you link to previous question or post more details surrounding xml source code to dashboard regarding the drilldown panel? My guess without knowing everything is that the token isn't properly set to the right value. A way to debug tokens is to add script="tokens.js" to the form node

doogan12 · ‎07-04-2017

Cmerriman - the search is thus: index=InnerIndexHere sourcetype=InnerSourcetypeHere "ip.of.offending.addr" | stats count BY ICID | table ICID | format

This returns a subsearch of the results found in the ICID field. I would like to the results to be capable of drilldown by clicking the contents of the cell to display the results of each ICID number (ie; was there DNS info for the IP, was it blacklisted, did it create a mid, did it close).

Here is the source:

true
false
none
full
1
5
full
all
1
list
cell
10</option

and the link to the previous question:

https://answers.splunk.com/answers/552608/how-can-i-take-the-results-from-a-search-and-gener.html

Thanks for taking a timeout to assist on a Holiday!

doogan12 · ‎07-04-2017

Hmmmm - that source code didn't post correctly

true
false
none
full
1
5
full
all
1
list
cell
10

doogan12 · ‎07-04-2017

The code falls under the option name= and are as follows - wrap, rowNumbers, dataOverlayMode, list.drolldown,list.wrap, maxLines, raw.drilldown, table.drilldown, table.wrap, type, drilldown, and count with the answer to those options listed above.

TY

Drilldown on results of a subsearch not working

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)