Splunk Search

Splunk dashboard clickable table output

vadlamudi
Explorer

Hi There,

 

I have two queries [Query 1  and Query 2].  what i am planning to achieve is that when user clicks on the server_ID for tabular output of Query 1, then it should be passed as INPUT to the WHERE clause in Query 2  . Any help would be appreciated.

 

 

Query 1:

index=<<index_name>>   sourcetype=webserver | dedup server_ID | table  server_ID

 

Query 1 Output:

server_ID

49552473-567
d5eedf55-dca
5d4bb774-74a
03f03042-1f7

 

Query 2:

 

index=<< index_name>>   "Exception" | where  server_ID= "server_ID from Query1 table"

 

 

Thank You

Labels (7)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There's a pretty good example of that in the Dashboards and Visualizations manual at https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/ContextualDrilldown#Manage_and_respond_to_tok...

The concept is the first query has a <drilldown> element that sets a token value to the clicked cell.  The second query references that token.  The second query won't run until the token is assigned a value (when the user clicks on the table).

<query>index=<<index_name>>   sourcetype=webserver | dedup server_ID | table  server_ID</query>
<drilldown>
  <set token="server_ID">$row.server_ID$</set>
</drilldown>
index=<< index_name>>   "Exception" | where  server_ID= $server_ID$

 

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

vadlamudi
Explorer

HI @richgalloway   I am facing with below error when i tried the above solution that you provided.

 

ERROR: Node drilldown is not allowed here

 

Thank You

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why did you accept the answer if it doesn't work?

The dashboard code in the answer is not complete.  The snippets provided need to be inserted into the proper places in your XML.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's a pretty good example of that in the Dashboards and Visualizations manual at https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/ContextualDrilldown#Manage_and_respond_to_tok...

The concept is the first query has a <drilldown> element that sets a token value to the clicked cell.  The second query references that token.  The second query won't run until the token is assigned a value (when the user clicks on the table).

<query>index=<<index_name>>   sourcetype=webserver | dedup server_ID | table  server_ID</query>
<drilldown>
  <set token="server_ID">$row.server_ID$</set>
</drilldown>
index=<< index_name>>   "Exception" | where  server_ID= $server_ID$

 

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

somesoni2
Revered Legend
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!