I have a bar chart and the user clicks on a bar and it then displays a table corresponding to the bar that was clicked. I would now like the user to be able to click on one of the table rows to then allow the user to see the raw transaction that comprised that table row. What I currently have is the following:
<dashboard>
<row>
<panel>
<chart>
<title>Unhandled Exceptions</title>
<searchString>source="*PerfMetrics*" earliest=@month
| transaction host startswith="START]" endswith=eval(match(_raw,"END]") OR match(_raw,"unhandled"))
| where NOT match(_raw, "END]") | chart count by host</searchString>
<earliestTime>0</earliestTime>
<latestTime/>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
.
.
.
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<drilldown>
<set token="type_tok">$click.value$</set>
</drilldown>
``</chart>
It is not displaying the line "table depends="$type_tok$"" that should be here.
<!--table depends="$type_tok$"-->
<title>Table for "$type_tok$"</title>
<searchString>source="*PerfMetrics*" earliest=@month host="$type_tok$"
| transaction host startswith="START]" endswith=eval(match(_raw,"END]") OR match(_raw,"unhandled"))
| where NOT match(_raw, "END]")
| table _time, User, host, Action, PlanName, Dept, AffProcessSize
</searchString>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</dashboard>
I don't see how to set up the plumbing for an additional table and search to just display the raw data corresponding to that clicked upon row. (I also don't see how to format the code so that it is readable here.)
See this runanywhere sample.
1) For the drilldown tokens for <table>
, try to add token which can uniquely identify the event (in case there can be multiple events with same timestamp)
2) For formatting of code, select the code and click on button "101|010" at the top of textbox OR press Ctrl+K.
<dashboard>
<row>
<panel>
<chart>
<title>Unhandled Exceptions</title>
<searchString>index=_internal earliest=-1h@h | chart count by sourcetype</searchString>
<earliestTime>0</earliestTime>
<latestTime/>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart">bar</option>
<drilldown>
<set token="type_tok">$click.value$</set>
</drilldown>
</chart>
<table depends="$type_tok$">
<title>Table for "$type_tok$"</title>
<searchString>index=_internal earliest=-1h@h sourcetype="$type_tok$"
| table _time, sourcetype, host | eval time=_time
</searchString>
<fields>_time, sourcetype, host</fields>
<option name="drilldown">row</option>
<drilldown>
<set token="time_tok">$row.time$</set>
<set token="sourcetype_tok">$row.sourcetype$</set>
<set token="host_tok">$row.host$</set>
<set token="earliest_tok">$earliest$</set>
<set token="latest_tok">$latest$</set>
</drilldown>
</table>
<event depends="$time_tok$,$sourcetype_tok$,$host_tok$,$earliest_tok$,$latest_tok$">
<title>Event for _time=$time_tok$,sourcetype=$sourcetype_tok$,host=$host_tok$</title>
<searchString>index=_internal earliest=-1h@h sourcetype="$type_tok$" host=$host_tok$ _time=$time_tok$
</searchString>
</event>
</panel>
</row>
</dashboard>
That did the trick. Thanks much for your help!
If you see the code for '<table>', I am creating a cloned column for _time (which gets displayed in human readable form) as 'time' (which will be epoch time). And then I am hiding the column 'time' by not listing it under '<fields>..</fields>' tag. Tokens can be created for hidden fields to the token I created for time is from epoch column 'time' so that it can be used for comparison in third panel.
It kinda works, but I still have one problem. The date displays in the row as 1407423288 instead of 2014-08-07 10:54:48, and that first format seems to be needed for date comparison purposes. I don't really want a "garbage" column to appear. Is there a way to hide that column but still pass that date through?
I am also unable to do comparisons on the 2014-08-07 10:54:48. If I try I get the error: The operator at 'T10:51:53.000-04:00' is invalid.
It means run on any splunk instance 🙂
You can use this dashboard code without any prior data setup.
I don't see the runanywhere sample. There is no link.