Splunk Search

Expand search based on chart

aquinojason
Path Finder

Hi,

Is there a way from a dashboard perspective that I present a chart from 2 big groups and if I click on the legend (or anything available). It will make a more granular look of the groups with the selected big group. 

For ex. BigGroup 1 consists of 10 subgroups, and BigGroup 2 consists of 20 subgroups. On a dashboard perspective, I will present Utilization of those 2 Big groups and then if I clicked on the chart / or legend of BigGroup 1, it will present the 10 subgroups.

 

Thanks and Regards,

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The drilldown in the first panel, opens the second dashhboard in a new tab (target = _blank) passing the value of the clicked column in a variable (group=$click.value$) which is given to the other dashboard as a token in used in the query for the second panel ($group$).

    <panel>
      <chart>
        <search>
          <query>| gentimes start=-1 increment=10s 
| rename starttime as _time 
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| stats sum(count) as total by group</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/yourapp/yourotherdashboard?group=$click.value$</link>
        </drilldown>
      </chart>
    </panel>


In other dashboard
    <panel depends="$group$">
      <chart>
        <search>
          <query>| gentimes start=-1 increment=10s 
| rename starttime as _time 
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| where group=$group$
| stats sum(count) as total by item</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>

View solution in original post

0 Karma

aquinojason
Path Finder

By the way, would like to ask if it would be possible to have it re-directed on a new dashboard with the tokens passed?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You can use a drilldown to set a token which then used on the search of another panel providing the drilldown information. As part of the drilldown, you could set and unset tokens so that the panel only appears when the drilldown has been clicked, and also make the original panel hide, so it gives the illusion of drilling down in situ.

0 Karma

aquinojason
Path Finder

Hi,

Thank you for the idea. Would you have a sample I can take a look on?

Thanks and Regards,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The drilldown in the first panel, opens the second dashhboard in a new tab (target = _blank) passing the value of the clicked column in a variable (group=$click.value$) which is given to the other dashboard as a token in used in the query for the second panel ($group$).

    <panel>
      <chart>
        <search>
          <query>| gentimes start=-1 increment=10s 
| rename starttime as _time 
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| stats sum(count) as total by group</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">/app/yourapp/yourotherdashboard?group=$click.value$</link>
        </drilldown>
      </chart>
    </panel>


In other dashboard
    <panel depends="$group$">
      <chart>
        <search>
          <query>| gentimes start=-1 increment=10s 
| rename starttime as _time 
| fields - endhuman endtime starthuman
| eval count=random() % 20
| eval group=random() % 2
| eval item=random() % 10 + (10 * group)
| where group=$group$
| stats sum(count) as total by item</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
0 Karma

aquinojason
Path Finder

Thank you the idea. I noticed that I cannot use the expand based on the chart legend so I made a list instead to use the drilldown.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...