Re: Using eval for a search. Drilldown XML ignores...

spike021 · ‎01-25-2016

Sorry for the mouthful in the title.

I'm using a drilldown in the XML for a component in a dashboard which worked fine until I changed the query building the component to use 'eval'.

Originally I'd be able to click the cell, get the string within, and open a new tab in the browser with a separate custom search going using that cell's string.

I changed the backend query to get the table's data a different way. I'd like to launch a new search with the cell's string. What I did in the process was, for the moment, just using the URL for the search I wanted, except with $click.value$ inserted to get the unique result. Probably not the best way in general (any tips?) but it suited my needs for that particular moment.

However, I have a newer search query for the functionality I want. The data itself displays just fine in the table. But when I click a cell, I get redirected to a new search that pretty much uses the original search query (the newest one that uses eval), except it inserts the cell's string as a qualifier, so that the new results are filtered down just to events with that string. Technically that's right, but I don't want the new search to use eval at all. It should pretty much do what I had it do before, which is just "index=... etc. | table "A", "B". The weird thing is that I double checked the XML "source" and my drilldown link is still there..

I hope that use case makes sense... Is it possible it has to do with how I start the new search? I looked through this Answers board a bit as well as the docs and I have to say I'm a bit confused on the best way to just drilldown to a new search using SimpleXML, not Advanced XML.

Thanks!

jbjerke_splunk · ‎01-25-2016

Hi spike021

The SimpleXML element you are looking for is called drilldown. Full reference on this element can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#Drilldown_elem...

There is also a section on the tokens available for tables here:
http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#table_.28event...

To do what you want to do, the SimpleXML would look something like this:

<table>
<searchString>index=_internal</searchString>

<!-- Pass the clicked row's 'count'-column value    -->
<!-- to populate a destination form's 'foo' token. -->
<drilldown>
  <link>
  /app/search/search?q=search index=_internal $row.field1$ | stats count
  </link>
</drilldown>
</table>

field1 is the name of the field in the table and clicking it would open a new search with the value added to the custom search.

If this answer is what you were looking for, please mark it as Answered.

j

spike021 · ‎01-25-2016

So even if I comment out the tag block, I still have the same issue where clicking on the cell pretty much performs the query again, except with something appended so it gets narrowed down to anything with the cell's contents.

I use dedup, but I used dedup earlier and it worked ok for doing the new search with the drilldown.. so I'm very confused.

renjith_nair · ‎01-25-2016

If you just want to open a new search window on drilldown, you don't need to explicitly provide drilldown since splunk by default does that (unless you want custom fields as part of drilldown. Just trying to understand what you are doing - You have a panel and you have enabled drilldown for that and in the drill down you mentioned a new search with clicked value as parameter. The eval or search terms in the original search shouldn't be affecting your drill down. Could you please share the search and part of your XML if possible?

Happy Splunking!

Using eval for a search. Drilldown XML ignores my lookup link and just re-uses the original search query, but with it narrowed down to the cell selection?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk