Splunk Search

Multiple drilldown from a chart to a table to a table

RVDowning
Contributor

I have a bar chart and the user clicks on a bar and it then displays a table corresponding to the bar that was clicked. I would now like the user to be able to click on one of the table rows to then allow the user to see the raw transaction that comprised that table row. What I currently have is the following:

<dashboard>
  <row>
    <panel>
      <chart>
        <title>Unhandled Exceptions</title>
        <searchString>source="*PerfMetrics*" earliest=@month 
          | transaction host startswith="START]" endswith=eval(match(_raw,"END]") OR match(_raw,"unhandled")) 
          | where NOT match(_raw, "END]") | chart count by host</searchString>
        <earliestTime>0</earliestTime>
        <latestTime/>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    .
    .
    .
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <drilldown>
          <set token="type_tok">$click.value$</set>
        </drilldown>
``</chart>
        It is not displaying the line "table depends="$type_tok$"" that should be here.
        <!--table depends="$type_tok$"-->
        <title>Table for "$type_tok$"</title>
        <searchString>source="*PerfMetrics*" earliest=@month host="$type_tok$"
          | transaction host startswith="START]" endswith=eval(match(_raw,"END]") OR match(_raw,"unhandled")) 
          | where NOT match(_raw, "END]") 
          | table _time, User, host, Action, PlanName, Dept, AffProcessSize          
        </searchString>
         <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</dashboard>

I don't see how to set up the plumbing for an additional table and search to just display the raw data corresponding to that clicked upon row. (I also don't see how to format the code so that it is readable here.)

0 Karma

somesoni2
Revered Legend

See this runanywhere sample.

1) For the drilldown tokens for <table>, try to add token which can uniquely identify the event (in case there can be multiple events with same timestamp)

2) For formatting of code, select the code and click on button "101|010" at the top of textbox OR press Ctrl+K.

<dashboard>
  <row>
    <panel>
      <chart>
        <title>Unhandled Exceptions</title>
        <searchString>index=_internal earliest=-1h@h | chart count by sourcetype</searchString>
        <earliestTime>0</earliestTime>
        <latestTime/>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart">bar</option>
        <drilldown>
          <set token="type_tok">$click.value$</set>
        </drilldown>
      </chart>
      <table depends="$type_tok$">
        <title>Table for "$type_tok$"</title>
        <searchString>index=_internal earliest=-1h@h sourcetype="$type_tok$"
          | table _time, sourcetype, host    | eval time=_time
        </searchString>
        <fields>_time, sourcetype, host</fields>
         <option name="drilldown">row</option>
         <drilldown>
          <set token="time_tok">$row.time$</set>
           <set token="sourcetype_tok">$row.sourcetype$</set>
           <set token="host_tok">$row.host$</set>
           <set token="earliest_tok">$earliest$</set>
           <set token="latest_tok">$latest$</set>
        </drilldown>
      </table>
      <event depends="$time_tok$,$sourcetype_tok$,$host_tok$,$earliest_tok$,$latest_tok$">
        <title>Event for _time=$time_tok$,sourcetype=$sourcetype_tok$,host=$host_tok$</title>
        <searchString>index=_internal  earliest=-1h@h sourcetype="$type_tok$" host=$host_tok$ _time=$time_tok$
        </searchString>       

      </event>
    </panel>
  </row>
</dashboard>

RVDowning
Contributor

That did the trick. Thanks much for your help!

0 Karma

somesoni2
Revered Legend

If you see the code for '<table>', I am creating a cloned column for _time (which gets displayed in human readable form) as 'time' (which will be epoch time). And then I am hiding the column 'time' by not listing it under '<fields>..</fields>' tag. Tokens can be created for hidden fields to the token I created for time is from epoch column 'time' so that it can be used for comparison in third panel.

0 Karma

RVDowning
Contributor

It kinda works, but I still have one problem. The date displays in the row as 1407423288 instead of 2014-08-07 10:54:48, and that first format seems to be needed for date comparison purposes. I don't really want a "garbage" column to appear. Is there a way to hide that column but still pass that date through?

I am also unable to do comparisons on the 2014-08-07 10:54:48. If I try I get the error: The operator at 'T10:51:53.000-04:00' is invalid.

0 Karma

rahulroy_splunk
Path Finder

It means run on any splunk instance 🙂
You can use this dashboard code without any prior data setup.

RVDowning
Contributor

I don't see the runanywhere sample. There is no link.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...