Splunk Search

Expand search based on chart

aquinojason
Path Finder

Hi,

Is there a way from a dashboard perspective that I present a chart from 2 big groups and if I click on the legend (or anything available). It will make a more granular look of the groups with the selected big group. 

For ex. BigGroup 1 consists of 10 subgroups, and BigGroup 2 consists of 20 subgroups. On a dashboard perspective, I will present Utilization of those 2 Big groups and then if I clicked on the chart / or legend of BigGroup 1, it will present the 10 subgroups.

 

Thanks and Regards,

Labels (2)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

The drilldown in the first panel, opens the second dashhboard in a new tab (target = _blank) passing the value of the clicked column in a variable (group=$click.value$) which is given to the other dashboard as a token in used in the query for the second panel ($group$).

    <panel>
      <chart>
        <search>
          <query>| gentimes start=-1 increment=10s 
| rename starttime as _time 
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| stats sum(count) as total by group</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/yourapp/yourotherdashboard?group=$click.value$</link>
        </drilldown>
      </chart>
    </panel>


In other dashboard
    <panel depends="$group$">
      <chart>
        <search>
          <query>| gentimes start=-1 increment=10s 
| rename starttime as _time 
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| where group=$group$
| stats sum(count) as total by item</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>

View solution in original post

0 Karma

aquinojason
Path Finder

By the way, would like to ask if it would be possible to have it re-directed on a new dashboard with the tokens passed?

0 Karma

ITWhisperer
Ultra Champion

You can use a drilldown to set a token which then used on the search of another panel providing the drilldown information. As part of the drilldown, you could set and unset tokens so that the panel only appears when the drilldown has been clicked, and also make the original panel hide, so it gives the illusion of drilling down in situ.

0 Karma

aquinojason
Path Finder

Hi,

Thank you for the idea. Would you have a sample I can take a look on?

Thanks and Regards,

0 Karma

ITWhisperer
Ultra Champion

The drilldown in the first panel, opens the second dashhboard in a new tab (target = _blank) passing the value of the clicked column in a variable (group=$click.value$) which is given to the other dashboard as a token in used in the query for the second panel ($group$).

    <panel>
      <chart>
        <search>
          <query>| gentimes start=-1 increment=10s 
| rename starttime as _time 
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| stats sum(count) as total by group</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/yourapp/yourotherdashboard?group=$click.value$</link>
        </drilldown>
      </chart>
    </panel>


In other dashboard
    <panel depends="$group$">
      <chart>
        <search>
          <query>| gentimes start=-1 increment=10s 
| rename starttime as _time 
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| where group=$group$
| stats sum(count) as total by item</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>

View solution in original post

0 Karma

aquinojason
Path Finder

Thank you the idea. I noticed that I cannot use the expand based on the chart legend so I made a list instead to use the drilldown.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!