Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass two drilldown tokens, one for the month from a timechart to a new panel and display a stats count for a clicked value

johnward4
Communicator
‎10-18-2018 05:55 PM

How to pass two drilldown tokens, one for the month from a timechart to a new panel and display a stats count for a clicked value. I've got the clicked value token figured out but passing the Month for the clicked value on my timechart is giving me fits.

The main panel populates from a scheduled report. Here is my dashboard XML below : 

<row>
    <panel>
      <title>Tickets By Category - Past 6 Months</title>
      <chart>
        <search ref="Tickets By Category - Past 6 Months"></search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <drilldown>
          <set token="selectCategory">$click.name2$</set>
          <set token="selectTime">$click.value$</set>
          <set token="showDD">1</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$showDD$">
        <title>$selectCategory$ - $form._earliest$ - $form._latest$</title>
        <search>
          <query>index=test Tickets=* CategoryName="$selectCategory$" | dedup Tickets | stats count by CategoryName
| rename contact as Requester | head 10 
|  sort  - count
| fields - CategoryName</query>
          <earliest>$form._earliest$</earliest>
          <latest>$form._latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <unset token="showDD"></unset>
        </drilldown>
      </table>
    </panel>
  </row>

For reference my main panel report query is : 

index=test Tickets=* 
| dedup Tickets
| timechart span=1mon count by Category useother=f usenull=f
0 Karma
Reply

renjith_nair
Legend
‎10-19-2018 06:35 AM

@johnward4,

When you click on a chart with time series, by default it provides $earliest$ and $latest$ time value which could be used for further filtering. If you need "Month" value, you could extract that using eval in the drilldown.

e.g.

         <drilldown>
           <set token="selectCategory">$click.name2$</set>
           <eval token="selectTime">strftime($earliest$,"%m")</eval>
           <set token="showDD">1</set>
         </drilldown>

Reference : http://docs.splunk.com/Documentation/Splunk/7.2.0/Viz/PanelreferenceforSimplifiedXML#chart_2

Also, if you are not using $selectCategory$ anywhere else in the dashboard, you could use that in the depends as well. You dont need a separate token showDD - it doesn't make any harm though

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...