Splunk Search
Highlighted

How to use drilldown and selection in the same chart at the same time?

Communicator

Hi,

I'm trying to use both drilldown and selection in a timechart to limit the events shown in an events view (note that this only a simple demo which should work on most systems to reproduce the problem):

<dashboard>
  <label>☢ TEST ☢</label>
  <row>
    <panel>
      <title>Timechart</title>
      <chart>
        <search>
          <query>index="_internal" sourcetype="splunkd" | timechart count by log_level</query>
          <earliest>-1h@h</earliest>
          <latest>@h</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.fieldColors">{ "FATAL": 0x956E96, "ERROR": 0xD85D3C, "WARN": 0xF7902B, "WARNING": 0xF7902B, "INFO": 0x5379AF, "DEBUG": 0xD0D0D0 }</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <drilldown>
          <set token="selected.levels">$click.name2$</set>
          <set token="selected.timeRange.earliest">$earliest$</set>
          <set token="selected.timeRange.latest">$latest$</set>
        </drilldown>
        <selection>
          <set token="selected.levels">*</set>
          <set token="selected.timeRange.earliest">$start$</set>
          <set token="selected.timeRange.latest">$end$</set>
        </selection>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Selected Events: $selected.levels$s from $selected.timeRange.earliest$ to $selected.timeRange.latest$</title>
      <event>
        <search>
          <query>index="_internal" sourcetype="splunkd" log_level=$selected.levels|s$</query>
          <earliest>$selected.timeRange.earliest$</earliest>
          <latest>$selected.timeRange.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">table</option>
        <fields>host, level</fields>
      </event>
    </panel>
  </row>
</dashboard>

What I want:

  1. Select a time range (drag mouse across Timechart😞 Show all events in the selected time range (log_level does not matter).
  2. Select a part of a column in Timechart: Show all events in the selected time range with the selected log_level.
  3. Select a specific log_level by clicking on a label in the legend: Show all events with the selected log_level in the time range of the Timechart.

What I have:

Using drilldown and selection
1. Works.
2. Does not work; Events with any loglevel in the time range of the Timechart are shown.
3. Does not work; Events with any log
level in the time range of the Timechart are shown.

The label of Selected Events briefly shows the correct values but then switches to the wrong ones.

Using drilldown only
1. Does not work; Chart zooms in.
2. Works.
3. Works.

Using selection only
1. Works.
2. Does not work; Default drilldown is performed.
3. Does not work; Default drilldown is performed.

I'm using Splunk Enterprise 6.3.1

Kind regards,
Dominik

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Motivator

hi krdo,

try this code:

<form>
  <label>☢ TEST ☢</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Timechart</title>
      <chart>
        <search>
          <query>index="_internal" sourcetype="splunkd" | timechart count by log_level</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.fieldColors">{ "FATAL": 0x956E96, "ERROR": 0xD85D3C, "WARN": 0xF7902B, "WARNING": 0xF7902B, "INFO": 0x5379AF, "DEBUG": 0xD0D0D0 }</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <drilldown>
          <set token="selected.levels">$click.name2$</set>
          <set token="selected.timeRange.earliest">$earliest$</set>
          <set token="selected.timeRange.latest">$latest$</set>
        </drilldown>
        <selection>
          <set token="selected.levels">*</set>
          <set token="selected.timeRange.earliest">$start$</set>
          <set token="selected.timeRange.latest">$end$</set>
        </selection>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Selected Events: $selected.levels$s from $selected.timeRange.earliest$ to $selected.timeRange.latest$</title>
      <event>
        <search>
          <query>index="_internal" sourcetype="splunkd" log_level=$selected.levels|s$</query>
          <earliest>$selected.timeRange.earliest$</earliest>
          <latest>$selected.timeRange.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">table</option>
        <fields>host, log_level, _raw</fields>
      </event>
    </panel>
  </row>
</form>

let me know if it works.

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Communicator

Hi gyslainlatsa,
I tried your code - with the same result, use cases 2 & 3 don't work. Were you able to reproduce the problem?

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Motivator

please, wish me well better specify what is not working

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Communicator

Select a part of a column in Timechart: Events with any loglevel in the time range of the Timechart are shown (but i want to show only events with the selected loglevel during the time of the column).
Select a specific loglevel by clicking on a label in the legend: Events with any loglevel in the time range of the Timechart are shown (but i want to show only events with the selected log_level).

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Motivator

this specification:

"Select a specific loglevel by clicking on a label in the legend: Events with any loglevel in the time range of the Timechart are shown (but i want to show only events with the selected log_level)"

working for me.

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Communicator

New finding: Everything starts to work once you do the following:
1. Select a time range (drag mouse across Timechart) which contains one or more columns.
2. Click on one of the column (parts) within the selection.

Now everything works just as i expect it to. Once you reload the page the behavior is buggy again. Seems like a Splunk bug to me.

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Motivator

once you reload the page, what is the error you observe?

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Communicator

The same error i described in the question and in the comment.

0 Karma
Highlighted

Re: How to use drilldown and selection in the same chart at the same time?

Engager

Hello krdo,

I have quite the same issue than you with v6.4.1.
Separately, drilldown and selection work well. When both configured with setting the same tokens "selected.timeRange.earliest" and "selected.timeRange.latest", the selection works but not the drilldown. When clicking, my table is updated but with the whole time range. When selecting, the time range is correctly set.

What I suspect is that when you click on the chart (aka drilldown event), a selection event is also triggered. Because you didn't select/zoom, selection event set selected.timeRange.earliest and selected.timeRange.latest for the full time range, superseding what drilldown event would set.

I have an ugly workaround which seems to confirm this misbehavior : If I double click on the chart, most of the time, the drilldown works and the table is correctly updated with the right time range. But this is not user friendly at all, I must often insist.

For the moment, I disable drilldown and select instead a really short time range around my chart point which gives the same results.

View solution in original post

0 Karma