Splunk Search

How to keep fields after a chart command for use in dynamic drilldown

New Member

If I have a table like this:

TestName          , OS        , IsSuccessfull,             , TestID
T1                , Windows   , True                       , 1
T1                , Linux     , True                       , 2
T2                , Windows   , False                      , 3
T2                , Linux     , False                      , 4

I can chart the data and get something like this:

| chart latest(IsSuccessfull) over TestName by OS
TestName, Windows, Linux
T1      , True   , True
T2      , False  , False

From here I would like to be able to drilldown to another dashboard which gives more detail about a specific test when given the TestID but the problem is the chart command removes all the fields it doesn't use so TestID disappears.

<drilldown>
    <link> /app/TESTING/TestDetails?TestID=$row.TestID$</link> <--- Can't do this
</drilldown>

Is there a way I can keep the associated TestID when I'm not displaying it in the table? Or is there some other way to do this?

Any help much appreciated!

0 Karma

SplunkTrust
SplunkTrust

Is the value of OS field fixed (mean only very specific OS names) ? What are you doing with result of chart command, showing in a table?

0 Karma

New Member

The OS fields are populated by the data so they are not "fixed" but there are only a limited amount that I am expecting.

Yes, the chart command gets displayed in a table just like the second one in my original question.

0 Karma

SplunkTrust
SplunkTrust

And are you doing a row level drilldown or cell level? Since there can be multiple OS, for a TestName (one row), there will be multiple TestIDs, so if you're doing a row level drilldown, you want all TestIDs?

0 Karma

New Member

That's a good point. Actually I think I need the cell level drilldown because I want the one TestID corresponding with the latest instance of a test against an OS. So maybe I need something like $cell.TestID$ ? I'll look into this on Monday.

0 Karma

SplunkTrust
SplunkTrust

From your question you seem to be passing TestID from table to another dashboard. However, if you perform statistical function you will get multiple values for T1 there are two test IDs 1 and 2. Please confirm what is the expected behavior.

The above drilldown that you have defined should work directly with first table that you have mentioned in the question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Yep, the drilldown does work from the first table. If I can though, I'd like to display the data in the second format (after the chart command) while still being able to drilldown using the TestID.

To give more context to the data, the TestID is actually a unique guid generated per test run and the tests are python scripts so for example I might run the same test five times against Windows and get something like this:

TestName , OS , IsSuccessfull, TestID , time
sync
test.py , Windows , True , ff744f19-47d9-4e1f-895c-53329f2ad715 , 10:20
synctest.py , Windows , False , bd4b8519-1f29-4905-a283-5e7e81f8425b , 10:15
sync
test.py , Windows , False , a65f8aa7-b96f-4403-9647-e05912503f2f , 10:10
synctest.py , Windows , True , 17e87c6a-4411-4e29-af4e-61c829272e8c , 10:05
sync
test.py , Windows , True , bad81240-b797-4244-bf05-166311830d3f , 10:00

The only one I care about and want to display in my table is the latest one so in this case I should get
TestName , Windows
sync_test.py , True

Hope that makes sense.

0 Karma

SplunkTrust
SplunkTrust

When you print out in table using simple xml fields option you can hide the column you want to use for drill down but not show to the user. However, at some point of time you need to have logical name for your test IDs so that user can select the same. In your case you can keep that as _time.

Edit Simple XML Dashboards and add the following for your table

<fields>TestName,OS,IsSuccessfull,_time</fields>

This way you will not display TestID, but you can use the same for your Drilldown

<drilldown>
     <link> /app/TESTING/TestDetails?TestID=$row.TestID$</link> 
</drilldown>

For reference, you can check out Table Element with Hidden Fields Example in Simple XML Examples App

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma