Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Problem with drilldown and OUTPUT
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with drilldown and OUTPUT
I need some help with getting this simple drilldown to pass the dboperationcode to my <link>. Currently my search is only giving me the OUTPUT value as the click.value for the drilldown search. I want to pass the dboperationcode in my drilldown but I only get the description.
I've tried setting tokens using the <set> and also using the <condition field="dboperationcode"> but nothing I've tried seems to override what is coming from the OUTPUT in my lookup.
<search>
<query>
index="myindex" host=$host$ | top limit=5 dboperationcode
| lookup sqlcursorlkp lkpcode as dboperationcode OUTPUT description
| fillnull value=Unknown | eval hcreason=count." : ".hcreason
| table description, count, percent, dboperationcode
</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<drilldown target="_blank">
<link>
<![CDATA[failed_operation?dboperationcode=$click.value$host=$host$&earliest=$earliest$&latest=$latest$]]>
</link>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
<link>
<![CDATA[/app/[name of the app where the view is]/sql_statement_failed?dboperationcode=$row.dboperationcode$&host=$host$&earliest=$earliest$&latest=$latest$]]>
</link>
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look at dynamic drill down in docs
http://docs.splunk.com/Documentation/Splunk/6.2.3/Viz/Understandbasictableandchartdrilldownactions
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use $row.dboperationcode$. Also, there seems to be an ampersand missing before host= in your link tag.
You're getting the description now because with drilldown=all the $click.value$ token always refers to the first column.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, pies are very restricted in their behaviour.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I tried that and I'm not getting anything from it.
<link>
<![CDATA[failed_operation?dboperationcode=$row.dboperationcode$&host=$host$&earliest=$earliest$&latest=$latest$]]>
</link>
turnsout ampersand wasn't a problem in my dashboard code just where I posted the question. Here is the link I'm trying to render the token values into...
<link>
<![CDATA[sql_statement_failed?dboperationcode=$row.dboperationcode$&host=$host$&earliest=$earliest$&latest=$latest$]]>
</link>
I also need to add that the chart is a pie chart. But to render out the labels the way I wanted I had to pipe in | table columns... so I'm not actually clicking on a table value but on a portion of a pie chart.
the $row.dboperationcode$ token isn't populating... I'm just getting the row.dboperationcode token name in the url....
is it because I'm using the table command in my search along with a pie chart type?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I know what my problem is. Pie charts are one dimensional and using the row. won't work because it's final render is a one dimensional pie chart vs a table, etc... I converted the pie to a bar chart and it works.
I wish I could use the pie chart though. It looks much better and makes more sense for this one value... It's just the lookup that is causing the problem making the output something I can't turn around and search on with the drill down.
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
