Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Link to search in new tab

manish_singh_77
Builder
‎06-01-2020 03:08 AM

Hi Team,

Link to search on a new tab for raw events when we click on a particular value in the line chart?

Is it possible?

Tags (1)
0 Karma
Reply

493669
Super Champion
‎06-02-2020 05:51 AM

to apply your requirement without editing xml-

Go to edit>>clicked on three dots for particular panel where you want to apply drilldown then use like below-
alt text

Preview file
50 KB
0 Karma
Reply

493669
Super Champion
‎06-01-2020 03:17 AM

Use below drilldown-

<option name="charting.drilldown">all</option>
 <drilldown>
      <link target="_blank">/app/myapp/mwdashboard</link>
 </drilldown>
0 Karma
Reply

manish_singh_77
Builder
‎06-01-2020 06:28 AM

@493669

This is not what I am looking for, I have a line chart and when I would click on the line chart value then it should open up new tab which should show me the raw events.

It works fine, when I select auto option in drilldown for "link to search", however I want the same thing in new tab.

0 Karma
Reply

493669
Super Champion
‎06-01-2020 06:34 AM

try below- here replace query with your query-

<option name="charting.drilldown">all</option>
        <drilldown>
          <link target="_blank">search?q=index=_internal%20%7C%20stats%20count%20by%20sourcetype&amp;earliest=-15m&amp;latest=now</link>
        </drilldown>

Below is sample dashboard on sampe data-

<dashboard>
  <label>826404_line chart</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <!--drilldown>
      <link target="_blank">/app/search/592973_multiselect_remove_all</link>
 </drilldown-->
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <drilldown>
          <link target="_blank">search?q=index=_internal%20%7C%20stats%20count%20by%20sourcetype&amp;earliest=-15m&amp;latest=now</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>
0 Karma
Reply

manish_singh_77
Builder
‎06-01-2020 09:06 AM

@493669

I am not looking for this, my query is different, if I click on a line chart value it should display only that events.

Regards,
Manish Singh

0 Karma
Reply

493669
Super Champion
‎06-01-2020 09:51 AM

at the end of query use event handler like $click.value$ which will help to display clicked event.
refer splunk docs-https://docs.splunk.com/Documentation/Splunk/8.0.4/Viz/EventHandlerReference#chart_(event_tokens)

0 Karma
Reply

manish_singh_77
Builder
‎06-02-2020 05:33 AM

@493669

I tried click.value2 and click.name2 but the value is not getting passed when it is opening in the new tab. I have a line chart which has hosts and its error count. So when I click on line chart it should give me the raw events of that host only.

for example

index= abc sourcetype= access:logs|timechart count as error_count by host

Drilldown search: index= abc sourcetype= access:logs host=$click.value2$

0 Karma
Reply

493669
Super Champion
‎06-02-2020 05:46 AM

you will require to search host=$click.name2$
I have created sample dashboard and here on click it will open clicked sourcetype
Use below for reference-

<dashboard>
  <label>826404_line chart</label>
  <row>
    <panel>
      <chart>
        <title>$abc$</title>
        <search>
          <query>index=_internal | timechart count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>

        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">search?q=index=_internal%20%7C%20timechart%20count%20by%20sourcetype%7Csearch%20sourcetype=%22$click.name2$%22&amp;earliest=-15m&amp;latest=now</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>
0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...