Splunk Search

Stats table drilldown help

codedtech
Path Finder

I want to create a drill down that will go from a value on a stats table a time chart for the clicked pool name in a new tab, I've been at this for a few hours now and I can't seem to get it to work.

Here is the current XML:

<panel>
 <table>
 <title>Pool Stats</title>
    <search>
      <query>index=Stuff| SERVER_NAME="$SERVER_NAME$"|dedup POOL_NAME|stats avg(eval(if(PCT_UTILIZED==0,null(),PCT_UTILIZED))) as Used by POOL_NAME|sort -Used | head 10</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="drilldown">row</option>
  </table>    

Thanks in advance.

0 Karma

gcusello
Legend

Hi codedtech,
you have to use the web interface or to add thes lines to your source after the option tag:

 <panel>
  <table>
  <title>Pool Stats</title>
     <search>
       <query>index=Stuff| SERVER_NAME="$SERVER_NAME$"|dedup POOL_NAME|stats avg(eval(if(PCT_UTILIZED==0,null(),PCT_UTILIZED))) as Used by POOL_NAME|sort -Used | head 10</query>
       <earliest>0</earliest>
       <latest></latest>
     </search>
     <option name="drilldown">row</option>
     <drilldown>
          <link target="_blank">/app/imy_app/drilldown_dashboard?POOL_NAME=$row.POOL_NAME$</link>
     </drilldown>
     </table> 

in this way, in the new dashboard you have to use the token named "POOL_NAME".
If you want to pass also the time borders of your search use the following.

 <drilldown>
      <link target="_blank">/app/imy_app/drilldown_dashboard?TimeFrom=$Time.earliest$&TimeTo=$Time.latest$&POOL_NAME=$row.POOL_NAME$</link>
 </drilldown>

In this case, you have to manage in the second dashboard three tokens.

Remember that for a problem on the editor the "&" char must be translated into "&".

As a guide, you can see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...