Splunk Search

How to prevent data model search string from being shown after clicking on pivot based pie chart?

MatMeredith
Path Finder

I have a dashboard that contains a number of pivot based charts. E.g.

| pivot analytics my_events count(my_events) AS "Count of events" SPLITROW my_dimension FILTER filter_att is "$filter_val$" SORT 100 my_dimension ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

When I click on e.g. pie charts driven by such queries I get taken to the search view and the right events are shown. However, the search string shown is horrendously complex as it expands the full data model and evaluates every attribute. Is there some way I can avoid this?

Thanks!

Tags (3)

schatzb
Explorer

This probably isn't the most elegant solution so others feel free to chime in.

I would nest an outputlookup into each panel's inline search, and then point your drilldown to a search that uses inputlookup.

Edit your in line searches to include the "outputlookup test5.csv"

| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv

add this to each panel with different csv's for each so you can have multiple drilldown views.

Then edit the XML for each panel to include a direct link to the search

        <drilldown>
            <link target="_blank">
                 /app/search/search?q=%7Cinputlookup%20test5.csv
            </link>
        </drilldown>

Here is the full XML for a test dashboard I made

<dashboard>
  <label>test5</label>
  <row>
    <panel>
      <table>
        <title>test</title>
        <searchString>| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv</searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">all</option>
            <drilldown>
                <link target="_blank">
                     /app/search/search?q=%7Cinputlookup%20test5.csv
                </link>
            </drilldown>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>

It's a little round about but it works pretty well for my applications.
I like enabling the drilldowns but don't want folks mucking around with my searches or in other data.

References:

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/outputlookup
http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/Understandbasictableandchartdrilldownactions
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/outputlookup

0 Karma

schatzb
Explorer

It just dawned on me that this could be pretty problematic if you have multiple users on the same dashboard at the same time.

As long as diskspace isn't an issue for your you could parameterize the csv names to ensure that there are no overlaps.

| search name=$slicer1$ | table field1,field2 | outputlookup test-$user$-$host$-$variable1$-$slicer1$.csv | search field1>0

as long as your parameters don't have illegal characters that should help.

0 Karma

schatzb
Explorer

You can even move the outputlookup further up the search so as to include some search filters on the drilldown if you wish. This will provide some editable options for your users.

| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv | search field1>0



/app/search/search?q=%7Cinputlookup%20test5.csv%20%7C%20search%20field1>0

0 Karma

MatMeredith
Path Finder

Yes, that's exactly it. The search is displaying the right information, but at the moment the search string is about 30 rows long, whereas it only needs to be about 2 lines long. A a result it's too complex for users to easily see what the search is actually showing.

0 Karma

schatzb
Explorer

To clarify: Are you looking to still show the relevant events but just to clean up how the search string is displayed?

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...