Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

FlashChart Drilldown Question which calls a new search

Ant1D
Motivator
‎10-20-2010 11:17 AM

Hey,

I want to switch off what seems to be a default function in Splunk.

I am trying to drill down on the following chart:

alt text When I click on the cell highlighted above in the search, a search that I have defined via the HiddenSearch module is run in a new popup window. However, by default, Splunk adds success="919" to this search.

When I click on this particular cell, the following search is run: index=main onb="wk42_2tue" success="919"

but this is the search that I want to see being run instead when I click on this cell: index=main onb="wk42_2tue"

The following extract of code from my view makes the above index=main onb="wk42_2tue" success="919" search possible:

<module name="HiddenSearch" autoRun="true">

 <param name="search">index=main</param>
       <module name="ConvertToIntention">
             <param name="intention"> 
                    <param name="name">addterm</param>
                              <param name="arg">
                                     <param name="onb">$click.value$</param>
                              </param>
              </param>  
               .
               .
               .

Is it possible to add a module and/or param to my code that stops success="..." from being added to the end of my search when I click on one of these cells?

Thanks in advance for your help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ayme
Splunk Employee
Splunk Employee
‎11-13-2010 12:51 PM

The answer is to reference the second dimension name/value no? eg. $click.name2$

Here is an example:

 <module name="HiddenSavedSearch" layoutPanel="panel_row2_col1"
group="Test Flashchart" autoRun="True">
<param name="savedSearch">Test Flashchart</param>
<module name="ResultsHeader">
    <param name="entityName">scanned</param>
    <param name="entityLabel">test</param>
    <module name="HiddenChartFormatter">
        <param name="chart">column</param>
        <param name="chart.stackMode">stacked</param>
        <param name="primaryAxisTitle.text">time</param>
        <param name="secondaryAxisTitle.text">test</param>
        <module name="FlashChart">
            <param name="width">100%</param>
            <param name="height">300px</param>
            <module name="HiddenSearch">
                <param name="search">index=main</param>
                <param name="earliest">-1h</param>
                <module name="ConvertToIntention">
                    <param name="intention">
                        <param name="name">addterm</param>
                        <param name="arg">
                            <param name="onb">$click.name2$</param>
                        </param>
                    </param>
                    <module name="JobProgressIndicator"></module>
                    <module name="SimpleResultsHeader">
                        <param name="entityName">results</param>
                        <param name="headerFormat">$click.name2$=$click.value2$
                        </param>
                    </module>
                    <module name="HiddenChartFormatter">
                        <param name="chart">line</param>
                        <param name="primaryAxisTitle.text">time</param>
                        <param name="secondaryAxisTitle.text">events</param>
                        <param name="legend.placement">none</param>
                        <module name="FlashChart">
                            <param name="width">100%</param>
                            <param name="height">160px</param>
                        </module>
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>
 </module>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ayme
Splunk Employee
Splunk Employee
‎11-13-2010 12:51 PM

The answer is to reference the second dimension name/value no? eg. $click.name2$

Here is an example:

 <module name="HiddenSavedSearch" layoutPanel="panel_row2_col1"
group="Test Flashchart" autoRun="True">
<param name="savedSearch">Test Flashchart</param>
<module name="ResultsHeader">
    <param name="entityName">scanned</param>
    <param name="entityLabel">test</param>
    <module name="HiddenChartFormatter">
        <param name="chart">column</param>
        <param name="chart.stackMode">stacked</param>
        <param name="primaryAxisTitle.text">time</param>
        <param name="secondaryAxisTitle.text">test</param>
        <module name="FlashChart">
            <param name="width">100%</param>
            <param name="height">300px</param>
            <module name="HiddenSearch">
                <param name="search">index=main</param>
                <param name="earliest">-1h</param>
                <module name="ConvertToIntention">
                    <param name="intention">
                        <param name="name">addterm</param>
                        <param name="arg">
                            <param name="onb">$click.name2$</param>
                        </param>
                    </param>
                    <module name="JobProgressIndicator"></module>
                    <module name="SimpleResultsHeader">
                        <param name="entityName">results</param>
                        <param name="headerFormat">$click.name2$=$click.value2$
                        </param>
                    </module>
                    <module name="HiddenChartFormatter">
                        <param name="chart">line</param>
                        <param name="primaryAxisTitle.text">time</param>
                        <param name="secondaryAxisTitle.text">events</param>
                        <param name="legend.placement">none</param>
                        <module name="FlashChart">
                            <param name="width">100%</param>
                            <param name="height">160px</param>
                        </module>
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>
 </module>
0 Karma
Reply
Solved! Jump to solution

Ant1D
Motivator
‎11-18-2010 04:00 PM

I was able to tweak this code a little and get it to work for me. Thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...