Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What token can I use in a timechart to pass the 'split by' clause in the $host$ token to another view in Simple XML?

tmarlette
Motivator
‎04-27-2015 04:37 PM

I have created a dashboard in simple XML and I am attempting to make a dynamic drilldown leveraging the split by clause, and pass the host name to another view.

I have a search that looks like this:

index=os sourcetype=vmstat |eval loadAvg1mi=if(loadAvg1mi > 100,"100",loadAvg1mi)|  timechart  span=5m avg(loadAvg1mi) AS CPU by hostname limit=0

Which gives me a chart that looks like this:

alt text

each line is a host, and I am attempting to drill down from clicking on either the line or the legend, however, there is no token in the documentation to leverage the 'split by' clause in the $foo$ token.

I have tried all of these to no avail:

Token Description
click.name Name of the leftmost field that appears in the table. This is always _time, if present.
click.value Value of the leftmost column in the row.
click.name2 Name of the column.
click.value2 Value of the column.

This last one doesn't work on a timechart, only on tables.
row. < fieldname > All field values for the table row, including those fields that are not displayed.

Does anyone know what token I can use to pass the 'split by' clause (aka host name in my case) to another view?

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 12:22 PM

$click.name2$ should be the one you need. I can validate using this simplexml and sourcetype being my splitby (the query itself is nonsense, I'm just testing the splitby will work)-

<dashboard>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal|  timechart  span=5m count AS CPU by sourcetype limit=0</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="drilldown">all</option>

<drilldown>
  <link>
  /app/search/simple_xml_form?form.foo=$click.name2$
  </link>
</drilldown>
         </chart>
    </panel>
  </row>
</dashboard>

Clicking the splunkd_access line

gives me http://localhost:8000/en-US/app/search/simple_xml_form?form.foo=splunkd_access

View solution in original post

Reply
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 12:22 PM

$click.name2$ should be the one you need. I can validate using this simplexml and sourcetype being my splitby (the query itself is nonsense, I'm just testing the splitby will work)-

<dashboard>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal|  timechart  span=5m count AS CPU by sourcetype limit=0</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="drilldown">all</option>

<drilldown>
  <link>
  /app/search/simple_xml_form?form.foo=$click.name2$
  </link>
</drilldown>
         </chart>
    </panel>
  </row>
</dashboard>

Clicking the splunkd_access line

gives me http://localhost:8000/en-US/app/search/simple_xml_form?form.foo=splunkd_access

Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-27-2015 05:27 PM

take a look on In page drilldown xml code in splunk dashboard 6...examples.

Or see contextual drilldown elements here:

docs.splunk.com/Documentation/Splunk/6.2.2/Viz/Understandbasictableandchartdrilldownactions

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎04-28-2015 08:28 AM

I have checked that documentation, as well as the simple XML documentation, and the $foo$ tokens documentation, however the variable I am searching for isn't in any of them, unless I'm completely missing.

They mention columns, and fields, however the click.value, and click.value2 in a chart returns values that are not the split-by clause. Give it a shot and see what you come up with. I ended up with _time and the value, which is the X / Y axis. I got this from the splunk dashboard examples app, and it doesn't mention anything anywhere about a split-by clause variable in a dynamic drill down.

I know there has to be one, but I just don't know what it is.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...