Splunk Search

Multiple drilldown from a chart to a table to a table

RVDowning
Contributor

I have a bar chart and the user clicks on a bar and it then displays a table corresponding to the bar that was clicked. I would now like the user to be able to click on one of the table rows to then allow the user to see the raw transaction that comprised that table row. What I currently have is the following:

<dashboard>
  <row>
    <panel>
      <chart>
        <title>Unhandled Exceptions</title>
        <searchString>source="*PerfMetrics*" earliest=@month 
          | transaction host startswith="START]" endswith=eval(match(_raw,"END]") OR match(_raw,"unhandled")) 
          | where NOT match(_raw, "END]") | chart count by host</searchString>
        <earliestTime>0</earliestTime>
        <latestTime/>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    .
    .
    .
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <drilldown>
          <set token="type_tok">$click.value$</set>
        </drilldown>
``</chart>
        It is not displaying the line "table depends="$type_tok$"" that should be here.
        <!--table depends="$type_tok$"-->
        <title>Table for "$type_tok$"</title>
        <searchString>source="*PerfMetrics*" earliest=@month host="$type_tok$"
          | transaction host startswith="START]" endswith=eval(match(_raw,"END]") OR match(_raw,"unhandled")) 
          | where NOT match(_raw, "END]") 
          | table _time, User, host, Action, PlanName, Dept, AffProcessSize          
        </searchString>
         <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</dashboard>

I don't see how to set up the plumbing for an additional table and search to just display the raw data corresponding to that clicked upon row. (I also don't see how to format the code so that it is readable here.)

0 Karma

somesoni2
Revered Legend

See this runanywhere sample.

1) For the drilldown tokens for <table>, try to add token which can uniquely identify the event (in case there can be multiple events with same timestamp)

2) For formatting of code, select the code and click on button "101|010" at the top of textbox OR press Ctrl+K.

<dashboard>
  <row>
    <panel>
      <chart>
        <title>Unhandled Exceptions</title>
        <searchString>index=_internal earliest=-1h@h | chart count by sourcetype</searchString>
        <earliestTime>0</earliestTime>
        <latestTime/>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart">bar</option>
        <drilldown>
          <set token="type_tok">$click.value$</set>
        </drilldown>
      </chart>
      <table depends="$type_tok$">
        <title>Table for "$type_tok$"</title>
        <searchString>index=_internal earliest=-1h@h sourcetype="$type_tok$"
          | table _time, sourcetype, host    | eval time=_time
        </searchString>
        <fields>_time, sourcetype, host</fields>
         <option name="drilldown">row</option>
         <drilldown>
          <set token="time_tok">$row.time$</set>
           <set token="sourcetype_tok">$row.sourcetype$</set>
           <set token="host_tok">$row.host$</set>
           <set token="earliest_tok">$earliest$</set>
           <set token="latest_tok">$latest$</set>
        </drilldown>
      </table>
      <event depends="$time_tok$,$sourcetype_tok$,$host_tok$,$earliest_tok$,$latest_tok$">
        <title>Event for _time=$time_tok$,sourcetype=$sourcetype_tok$,host=$host_tok$</title>
        <searchString>index=_internal  earliest=-1h@h sourcetype="$type_tok$" host=$host_tok$ _time=$time_tok$
        </searchString>       

      </event>
    </panel>
  </row>
</dashboard>

RVDowning
Contributor

That did the trick. Thanks much for your help!

0 Karma

somesoni2
Revered Legend

If you see the code for '<table>', I am creating a cloned column for _time (which gets displayed in human readable form) as 'time' (which will be epoch time). And then I am hiding the column 'time' by not listing it under '<fields>..</fields>' tag. Tokens can be created for hidden fields to the token I created for time is from epoch column 'time' so that it can be used for comparison in third panel.

0 Karma

RVDowning
Contributor

It kinda works, but I still have one problem. The date displays in the row as 1407423288 instead of 2014-08-07 10:54:48, and that first format seems to be needed for date comparison purposes. I don't really want a "garbage" column to appear. Is there a way to hide that column but still pass that date through?

I am also unable to do comparisons on the 2014-08-07 10:54:48. If I try I get the error: The operator at 'T10:51:53.000-04:00' is invalid.

0 Karma

rahulroy_splunk
Path Finder

It means run on any splunk instance 🙂
You can use this dashboard code without any prior data setup.

RVDowning
Contributor

I don't see the runanywhere sample. There is no link.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...