Splunk Search

Drilldown problem

Dark_Ichigo
Builder

I have a problem where I have a table that has a _time column and two other columns, I have a search that sorts that DrillDown by the click.name for example.

The problem is click.name and click2.name and click.name2 all return _time , so I end up sorting by _time!

What I want is to sort by one of those other column names and not the first _time column no matter which row I click on.

What am I missing?, is there another click.name3 Im missing out on or something cause it only returns Null.

1 Solution

sideview
SplunkTrust
SplunkTrust

If click.name and click.name2 are always the same, and they're always returning the value of the first column, then you must have the 'drilldown' param set to 'row'.

However, even if you change the drilldown param from 'row' to 'all', you'll only be able to get a) the name and value for the first cell as click.name and click.value , and b) the name and value for the cell the mouse was directly over as click.name2 and click.value2.

However outside of "chart count over foo by bar", click.name2 and click.value2 are not usually very valuable to app developers since it is literally the cell that the user clicked on. When you change drilldown to 'all', you'll also see the highlighting change to indicate this behavior to the user.

To get full access to any of the values in any of the columns, you would have to patch the core code yourself, or you could switch to developing your views using Sideview Utils. Sideview Utils is an app that brings a number of new modules into the picture, and it also patches some of the existing modules. Most notable for your problem is a patch that it applies to the SimpleResultsTable module, whereby you can access any cell as $click.fields.myFieldName$.

Sideview Utils makes a lot of other things easier too, but if you just want this one specific problem to go away, here are the steps: download and install the app on your system, restart if prompted, and then add this one module to the top of your view.

 <module name="SideviewUtils" layoutPanel="appHeader" />

http://splunk-base.splunk.com/apps/22279/sideview-utils

Note that the app itself contains its own documentation and examples.

View solution in original post

sideview
SplunkTrust
SplunkTrust

If click.name and click.name2 are always the same, and they're always returning the value of the first column, then you must have the 'drilldown' param set to 'row'.

However, even if you change the drilldown param from 'row' to 'all', you'll only be able to get a) the name and value for the first cell as click.name and click.value , and b) the name and value for the cell the mouse was directly over as click.name2 and click.value2.

However outside of "chart count over foo by bar", click.name2 and click.value2 are not usually very valuable to app developers since it is literally the cell that the user clicked on. When you change drilldown to 'all', you'll also see the highlighting change to indicate this behavior to the user.

To get full access to any of the values in any of the columns, you would have to patch the core code yourself, or you could switch to developing your views using Sideview Utils. Sideview Utils is an app that brings a number of new modules into the picture, and it also patches some of the existing modules. Most notable for your problem is a patch that it applies to the SimpleResultsTable module, whereby you can access any cell as $click.fields.myFieldName$.

Sideview Utils makes a lot of other things easier too, but if you just want this one specific problem to go away, here are the steps: download and install the app on your system, restart if prompted, and then add this one module to the top of your view.

 <module name="SideviewUtils" layoutPanel="appHeader" />

http://splunk-base.splunk.com/apps/22279/sideview-utils

Note that the app itself contains its own documentation and examples.

sideview
SplunkTrust
SplunkTrust

Well again, if you change the drilldown param to 'all', then click.name2 will no longer be _time. It will instead be the column name of the cell the user clicked on. If you still have the drilldown param set to 'row', then click.name2 and click.name will be identical (_time). But I'm repeating myself so maybe this isn't what you're really asking? Maybe posting the xml or more details would help.

0 Karma

Dark_Ichigo
Builder

Is updating the JS file an option, removing the code where it retrieves the Search value along with the name?

0 Karma

Dark_Ichigo
Builder

I understand completely what your saying, and you have so far solved so much of my problems, but I would really like to know how to just get the name of the column without having the value along with it, so basically when I perform a search: sort by click.name2 it retrieves the name of the column but it also pipes to the value search: sort by click.name2 | search "The value I clicked on"

Is this possible?, I've taken a good look at your app and its a really well done Job!, but how can I just retrieve the Column Name I selected?

0 Karma

sideview
SplunkTrust
SplunkTrust

Well click.name2 is still passed down. I leave all the old keys there. And I didn't mention it here but it's mentioned in the docs and maybe this is what you're looking for -- you can also do click.cell0.name, click.cell0.value ... click.cell7.name,click.cell7.value, etc..

0 Karma

Dark_Ichigo
Builder

Thanks, this is what I've been looking for the whole time!

Just a quick question, is it possible to update the Javascript file in order to only retrieve the column name using click.name2?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...