Splunk Search

How to use drilldown and selection in the same chart at the same time?

krdo
Communicator

Hi,

I'm trying to use both drilldown and selection in a timechart to limit the events shown in an events view (note that this only a simple demo which should work on most systems to reproduce the problem):

<dashboard>
  <label>☢ TEST ☢</label>
  <row>
    <panel>
      <title>Timechart</title>
      <chart>
        <search>
          <query>index="_internal" sourcetype="splunkd" | timechart count by log_level</query>
          <earliest>-1h@h</earliest>
          <latest>@h</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.fieldColors">{ "FATAL": 0x956E96, "ERROR": 0xD85D3C, "WARN": 0xF7902B, "WARNING": 0xF7902B, "INFO": 0x5379AF, "DEBUG": 0xD0D0D0 }</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <drilldown>
          <set token="selected.levels">$click.name2$</set>
          <set token="selected.timeRange.earliest">$earliest$</set>
          <set token="selected.timeRange.latest">$latest$</set>
        </drilldown>
        <selection>
          <set token="selected.levels">*</set>
          <set token="selected.timeRange.earliest">$start$</set>
          <set token="selected.timeRange.latest">$end$</set>
        </selection>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Selected Events: $selected.levels$s from $selected.timeRange.earliest$ to $selected.timeRange.latest$</title>
      <event>
        <search>
          <query>index="_internal" sourcetype="splunkd" log_level=$selected.levels|s$</query>
          <earliest>$selected.timeRange.earliest$</earliest>
          <latest>$selected.timeRange.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">table</option>
        <fields>host, level</fields>
      </event>
    </panel>
  </row>
</dashboard>

What I want:

  1. Select a time range (drag mouse across Timechart😞 Show all events in the selected time range (log_level does not matter).
  2. Select a part of a column in Timechart: Show all events in the selected time range with the selected log_level.
  3. Select a specific log_level by clicking on a label in the legend: Show all events with the selected log_level in the time range of the Timechart.

What I have:

Using drilldown and selection
1. Works.
2. Does not work; Events with any log_level in the time range of the Timechart are shown.
3. Does not work; Events with any log_level in the time range of the Timechart are shown.

The label of Selected Events briefly shows the correct values but then switches to the wrong ones.

Using drilldown only
1. Does not work; Chart zooms in.
2. Works.
3. Works.

Using selection only
1. Works.
2. Does not work; Default drilldown is performed.
3. Does not work; Default drilldown is performed.

I'm using Splunk Enterprise 6.3.1

Kind regards,
Dominik

0 Karma
1 Solution

gmahe
Engager

Hello krdo,

I have quite the same issue than you with v6.4.1.
Separately, drilldown and selection work well. When both configured with setting the same tokens "selected.timeRange.earliest" and "selected.timeRange.latest", the selection works but not the drilldown. When clicking, my table is updated but with the whole time range. When selecting, the time range is correctly set.

What I suspect is that when you click on the chart (aka drilldown event), a selection event is also triggered. Because you didn't select/zoom, selection event set selected.timeRange.earliest and selected.timeRange.latest for the full time range, superseding what drilldown event would set.

I have an ugly workaround which seems to confirm this misbehavior : If I double click on the chart, most of the time, the drilldown works and the table is correctly updated with the right time range. But this is not user friendly at all, I must often insist.

For the moment, I disable drilldown and select instead a really short time range around my chart point which gives the same results.

View solution in original post

0 Karma

gmahe
Engager

Hello krdo,

I have quite the same issue than you with v6.4.1.
Separately, drilldown and selection work well. When both configured with setting the same tokens "selected.timeRange.earliest" and "selected.timeRange.latest", the selection works but not the drilldown. When clicking, my table is updated but with the whole time range. When selecting, the time range is correctly set.

What I suspect is that when you click on the chart (aka drilldown event), a selection event is also triggered. Because you didn't select/zoom, selection event set selected.timeRange.earliest and selected.timeRange.latest for the full time range, superseding what drilldown event would set.

I have an ugly workaround which seems to confirm this misbehavior : If I double click on the chart, most of the time, the drilldown works and the table is correctly updated with the right time range. But this is not user friendly at all, I must often insist.

For the moment, I disable drilldown and select instead a really short time range around my chart point which gives the same results.

0 Karma

krdo
Communicator

Hi gmahe,

We opened a support ticket for this and encountered something strange while doing a remote session: The dashboard actually works when used via a Remote Desktop Connection. I opened a RDP connection to my workstation, refreshed the dashboard which has already been loaded by the browser and everything worked as expected. I disconnected and tried using the dashboard directly on the workstation and the faulted behavior could be observed again.

No that we've upgraded to 6.4.3 we can't observe the faulty behavior anymore.

0 Karma

gyslainlatsa
Motivator

hi krdo,

try this code:

<form>
  <label>☢ TEST ☢</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Timechart</title>
      <chart>
        <search>
          <query>index="_internal" sourcetype="splunkd" | timechart count by log_level</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.fieldColors">{ "FATAL": 0x956E96, "ERROR": 0xD85D3C, "WARN": 0xF7902B, "WARNING": 0xF7902B, "INFO": 0x5379AF, "DEBUG": 0xD0D0D0 }</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <drilldown>
          <set token="selected.levels">$click.name2$</set>
          <set token="selected.timeRange.earliest">$earliest$</set>
          <set token="selected.timeRange.latest">$latest$</set>
        </drilldown>
        <selection>
          <set token="selected.levels">*</set>
          <set token="selected.timeRange.earliest">$start$</set>
          <set token="selected.timeRange.latest">$end$</set>
        </selection>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Selected Events: $selected.levels$s from $selected.timeRange.earliest$ to $selected.timeRange.latest$</title>
      <event>
        <search>
          <query>index="_internal" sourcetype="splunkd" log_level=$selected.levels|s$</query>
          <earliest>$selected.timeRange.earliest$</earliest>
          <latest>$selected.timeRange.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">table</option>
        <fields>host, log_level, _raw</fields>
      </event>
    </panel>
  </row>
</form>

let me know if it works.

0 Karma

krdo
Communicator

Hi gyslainlatsa,
I tried your code - with the same result, use cases 2 & 3 don't work. Were you able to reproduce the problem?

0 Karma

gyslainlatsa
Motivator

please, wish me well better specify what is not working

0 Karma

krdo
Communicator

Select a part of a column in Timechart: Events with any log_level in the time range of the Timechart are shown (but i want to show only events with the selected log_level during the time of the column).
Select a specific log_level by clicking on a label in the legend: Events with any log_level in the time range of the Timechart are shown (but i want to show only events with the selected log_level).

0 Karma

gyslainlatsa
Motivator

this specification:

"Select a specific log_level by clicking on a label in the legend: Events with any log_level in the time range of the Timechart are shown (but i want to show only events with the selected log_level)"

working for me.

0 Karma

krdo
Communicator

New finding: Everything starts to work once you do the following:
1. Select a time range (drag mouse across Timechart) which contains one or more columns.
2. Click on one of the column (parts) within the selection.

Now everything works just as i expect it to. Once you reload the page the behavior is buggy again. Seems like a Splunk bug to me.

0 Karma

gyslainlatsa
Motivator

once you reload the page, what is the error you observe?

0 Karma

krdo
Communicator

The same error i described in the question and in the comment.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...