Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

For drilldown, can I use an extracted field as a token value?

blindfire_bandi
Explorer
‎02-12-2019 02:21 PM

My token:

<drilldown>
$row.lobName$

</drilldown>

lobName is a field that I extracted using Rex statement; it isn't an actual field in the index I'm searching on. My drilldown is showing 0 results, but it looks like the token is being passed successfully, so I'm not sure what's going on. I have a similar dashboard where the tokens being passed are 'real' fields in the index, and the drilldown works just fine, so I thought maybe the issue here is that extracted fields cannot be tokens.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-13-2019 08:50 AM

Your XML works for me with very slight adjustment in v7.2.4; try this:

<dashboard>
   <label>drilldown</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | rex field=source "log\/splunk\/(?<file>.*)"|dedup source,file,sourcetype | table source,file,sourcetype</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <eval token="log_filename">$row.file$</eval>
         </drilldown>
       </table>
     </panel>
   </row>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal source = "*$log_filename$"|dedup source | table source</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">none</option>
       </table>
     </panel>
   </row>
 </dashboard>
0 Karma
Reply

vnravikumar
Champion
‎02-13-2019 01:58 AM

Hi @blindfire_bandit

Please refer this and let me know

<dashboard>
  <label>drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | rex field=source "log\/splunk\/(?P<file>.*)"|dedup source,file,sourcetype | table source,file,sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <eval token="log_filename">$row.file$</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal source = "*$log_filename$"|dedup source | table source</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
Reply

blindfire_bandi
Explorer
‎02-12-2019 02:50 PM

Sorry, I left out the set statement.

     <drilldown>
      <set token="LobNameTok">$row.lobName$</set>
    </drilldown>
0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 03:49 PM

What you have shown should work. You need to provide more details.

0 Karma
Reply

blindfire_bandi
Explorer
‎02-13-2019 06:43 AM

@woodcock

Here is the xml in it's entirety. When I click on a row in the first table, I need it to pass the 'LobNameTok' token to the "Detail View" table (second table), so that the second table shows information that is only pertinent to that lob. See my where clause. From testing that I've done yesterday, I've concluded that the token IS being recognized by the second table when I click a row in the first. However, nothing is loading in the second table, it's just empty. I thought that perhaps it was an issue with lobName being a field that I extracted with rex() and not an actual field in my index. Maybe I have another issue that I'm not seeing.

    <search>
      <query>index=ssi_rtc ("handled request with state Success" OR "handled request with state Errored")
        | where isnull(webService)
        | rex "message\" : (?&lt;server&gt;\w+)\.\.(?&lt;lobName&gt;\w+(\-[a-zA-Z]+){0,1})\-(?&lt;transactionType&gt;\w+)\."
        | where transactionType="270"
        | rex "\"RequestReceivedFromClientTimeUtc\"\:\"(?&lt;requestReceivedTimeText&gt;.+?)\""
        | rex "\"ReplySentToClientTimeUtc\"\:\"(?&lt;replySentTimeText&gt;.+?)\""
        | eval requestReceivedTime = strptime(requestReceivedTimeText,"%Y-%m-%dT%H:%M:%S")  
        | eval replySentTime = strptime(replySentTimeText,"%Y-%m-%dT%H:%M:%S") 
        | eval processingTimeInSeconds = replySentTime - requestReceivedTime 
        | stats avg(processingTimeInSeconds) as TimeAtLobSeconds by lobName
        | eval TimeAtLobSeconds = round(TimeAtLobSeconds, 0)
        | eval isFailure = if(TimeAtLobSeconds &gt; 20, 1, 0)
        | where (isFailure == 1) 
        | table lobName TimeAtLobSeconds
        | rename TimeAtLobSeconds as "Avg. Time at Lob (seconds)"
        | sort -"Avg. Time at Lob (seconds)"</query>
      <earliest>$ThresholdTime.earliest$</earliest>
      <latest>$ThresholdTime.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <set token="LobNameTok">$row.lobName$</set>
    </drilldown>
  </table>
</panel>
<panel>
  <title>270 - Payer Latency (Detail View)</title>
  <table>
    <search>
      <query>index=ssi_rtc ("handled request with state Success" OR "handled request with state Errored") 
         | rex "\"message\"\s\:\s(?&lt;server&gt;[A-Z]+)\.\.(?&lt;lobName&gt;[A-Z].+?)\."
        | where (lobName == $LobNameTok$ and isnull(webService)) 
        | eval requestReceivedTime = strptime(requestReceivedTimeText,"%Y-%m-%dT%H:%M:%S")  
        | eval replySentTime = strptime(replySentTimeText,"%Y-%m-%dT%H:%M:%S") 
        | eval processingTimeInSeconds = (replySentTime - requestReceivedTime) 
        | stats avg(processingTimeInSeconds) as TimeAtLobSeconds by lobName
        | table lobName TimeAtLobSeconds
        | rename lobName as "Lob Name", TimeAtLobSeconds as "Time at Lob"
        | sort -_time</query>
      <earliest>$ThresholdTime.earliest$</earliest>
      <latest>$ThresholdTime.latest$</latest>
    </search>
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...