I have a dashboard that contains a number of pivot based charts. E.g.
| pivot analytics my_events count(my_events) AS "Count of events" SPLITROW my_dimension FILTER filter_att is "$filter_val$" SORT 100 my_dimension ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1
When I click on e.g. pie charts driven by such queries I get taken to the search view and the right events are shown. However, the search string shown is horrendously complex as it expands the full data model and evaluates every attribute. Is there some way I can avoid this?
Thanks!
This probably isn't the most elegant solution so others feel free to chime in.
I would nest an outputlookup into each panel's inline search, and then point your drilldown to a search that uses inputlookup.
Edit your in line searches to include the "outputlookup test5.csv"
| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv
add this to each panel with different csv's for each so you can have multiple drilldown views.
Then edit the XML for each panel to include a direct link to the search
<drilldown>
<link target="_blank">
/app/search/search?q=%7Cinputlookup%20test5.csv
</link>
</drilldown>
Here is the full XML for a test dashboard I made
<dashboard>
<label>test5</label>
<row>
<panel>
<table>
<title>test</title>
<searchString>| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv</searchString>
<earliestTime>-7d@h</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">all</option>
<drilldown>
<link target="_blank">
/app/search/search?q=%7Cinputlookup%20test5.csv
</link>
</drilldown>
<option name="count">10</option>
</table>
</panel>
</row>
</dashboard>
It's a little round about but it works pretty well for my applications.
I like enabling the drilldowns but don't want folks mucking around with my searches or in other data.
References:
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/outputlookup
http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/Understandbasictableandchartdrilldownactions
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/outputlookup
It just dawned on me that this could be pretty problematic if you have multiple users on the same dashboard at the same time.
As long as diskspace isn't an issue for your you could parameterize the csv names to ensure that there are no overlaps.
| search name=$slicer1$ | table field1,field2 | outputlookup test-$user$-$host$-$variable1$-$slicer1$.csv | search field1>0
as long as your parameters don't have illegal characters that should help.
You can even move the outputlookup further up the search so as to include some search filters on the drilldown if you wish. This will provide some editable options for your users.
| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv | search field1>0
/app/search/search?q=%7Cinputlookup%20test5.csv%20%7C%20search%20field1>0
Yes, that's exactly it. The search is displaying the right information, but at the moment the search string is about 30 rows long, whereas it only needs to be about 2 lines long. A a result it's too complex for users to easily see what the search is actually showing.
To clarify: Are you looking to still show the relevant events but just to clean up how the search string is displayed?