Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Expand search based on chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is there a way from a dashboard perspective that I present a chart from 2 big groups and if I click on the legend (or anything available). It will make a more granular look of the groups with the selected big group.
For ex. BigGroup 1 consists of 10 subgroups, and BigGroup 2 consists of 20 subgroups. On a dashboard perspective, I will present Utilization of those 2 Big groups and then if I clicked on the chart / or legend of BigGroup 1, it will present the 10 subgroups.
Thanks and Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The drilldown in the first panel, opens the second dashhboard in a new tab (target = _blank) passing the value of the clicked column in a variable (group=$click.value$) which is given to the other dashboard as a token in used in the query for the second panel ($group$).
<panel>
<chart>
<search>
<query>| gentimes start=-1 increment=10s
| rename starttime as _time
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| stats sum(count) as total by group</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/yourapp/yourotherdashboard?group=$click.value$</link>
</drilldown>
</chart>
</panel>
In other dashboard
<panel depends="$group$">
<chart>
<search>
<query>| gentimes start=-1 increment=10s
| rename starttime as _time
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| where group=$group$
| stats sum(count) as total by item</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, would like to ask if it would be possible to have it re-directed on a new dashboard with the tokens passed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use a drilldown to set a token which then used on the search of another panel providing the drilldown information. As part of the drilldown, you could set and unset tokens so that the panel only appears when the drilldown has been clicked, and also make the original panel hide, so it gives the illusion of drilling down in situ.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for the idea. Would you have a sample I can take a look on?
Thanks and Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The drilldown in the first panel, opens the second dashhboard in a new tab (target = _blank) passing the value of the clicked column in a variable (group=$click.value$) which is given to the other dashboard as a token in used in the query for the second panel ($group$).
<panel>
<chart>
<search>
<query>| gentimes start=-1 increment=10s
| rename starttime as _time
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| stats sum(count) as total by group</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/yourapp/yourotherdashboard?group=$click.value$</link>
</drilldown>
</chart>
</panel>
In other dashboard
<panel depends="$group$">
<chart>
<search>
<query>| gentimes start=-1 increment=10s
| rename starttime as _time
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| where group=$group$
| stats sum(count) as total by item</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you the idea. I noticed that I cannot use the expand based on the chart legend so I made a list instead to use the drilldown.
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
Observe and Secure All Apps with Splunk
