Splunk Search

Help with Drilldown and token condition in Dashboard

Julia1231
Communicator

Hi everybody,

I am creating a Dashboard using Splunk and I'm searching for a solution.

I have a list machine according to the type from an Excel file.

I have a dbxquery to get data of each machine from DB  then using lookup, I now can get the count of event by each type.

What I want to do next, is add drilldowns in the dashboard, to distinguish the type, base on the number of machine, for ex: if there is < 50 machines, the type will list in the drilldown 1, if > 50, types will be listed in the drilldown 2. 

The reason to seperate into 2 group because I want to set the timechart span differently, span =1h for drilldown 1 and span =2h for drill down 2

Here is my script:

|dbxquery connection="server" query="SELECT *
FROM table "
|lookup lookup.csv numero OUTPUT type
|eval _time=strptime(time_receive,"%Y-%m-%dT%H:%M:%S.%N")
|timechart span=2h count by type
| untable _time type count_event
| makecontinuous
| fillnull value=0
| where count_event = 0
| sort - _time

Julia1231_0-1664886493773.png

Can I do something in the search, like: If I click on the drilldown 1, I'll run the search with span =1h, when I choose from drilldown 2, I'll run the search with span =2h?

I also want to have option ALL in each drilldown

Do you have any idea?


Thanks,

Julia

 

Labels (4)
Tags (1)
0 Karma

jdunlea
Contributor

The dashboard below should give you an idea of how you can do the two drop downs. 

 

There still needs to be some tweaking to allow "all" as a selectable item. 

 

I did try and do something where you can change the "span" based on the dropdown chosen, but it is tricker than I thought and will probably need some tokens to be set in the XML of the dashboard itself. 

 

<form version="1.1">
  <label>test community dash</label>
  <search id="base1">
    <query>| makeresults count=100 | streamstats count | eval type=case(count&lt;20,"type1",count&gt;19 AND count&lt;50,"type2",1=1,"type3")
| stats count as machine_count by type</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="type_less_than_30">
      <label>Type: Machine Count &lt;30</label>
      <fieldForLabel>type</fieldForLabel>
      <fieldForValue>type</fieldForValue>
      <search base="base1">
        <query>| where machine_count&lt;30</query>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
      <!--<suffix>:::1h</suffix>-->
    </input>
    <input type="dropdown" token="type_greater_than_30">
      <label>Type: Machine Count &gt;30</label>
      <fieldForLabel>type</fieldForLabel>
      <fieldForValue>type</fieldForValue>
      <search base="base1">
        <query>| where machine_count&gt;=30</query>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
      <!--<suffix>:::2h</suffix>-->
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=100 | streamstats count | eval type=case(count&lt;20,"type1",count&gt;19 AND count&lt;50,"type2",1=1,"type3")
| stats count as machine_count by type | eval less_than_30_type="$type_less_than_30$" | eval greater_than_30_type="$type_greater_than_30$" | eval type_selected=if(match(greater_than_30_type,"\*"),less_than_30_type,greater_than_30_type) | where type=type_selected</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

jdunlea
Contributor

Hi Julia,

 

Yes I think you can do both of these things. 

 

Can you clarify for me if the search you provided will be part of a dashboard panel, or if this search is what sits behind the dropdown(s)?

 

 

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...