Splunk Search

Zoom with second dashboard not working

Explorer

I am performing a sentiment analysis on RSS feeds over time and want to make a timechart zoom capability in my dashboard. Currently I cannot get this to work. I want the zoom to display in another chart. my first chart looks like this:

    <title>Sentiment Over Time</title>
    <searchString>index = rss_2  | dedup link  | sentiment imdb title | timechart avg(sentiment)</searchString>
    <earliestTime>0</earliestTime>
    <latestTime>now</latestTime>
    <selection>
      <set token="selection_earliest">$start$</set>
      <set token="selection_latest">$end$</set>
      <set token="start_splunk_web_access">$start.avg(sentiment)$</set>
      <set token="end_splunk_web_access">$end.avg(sentiment$)</set>
    </selection>

my second chart looks like this:

    <title>Zoom in Sentiment Visual</title>
    <search>
      <query>index = rss_2 | dedup link | sentiment imdb title | timechart avg(sentiment)</query>
      <earliest>$selection_earliest$</earliest>
      <latest>$selection_latest$</latest>
    </search>
  </chart>

my goal is to be able to zoom in on a specific time frame and view the individual titles of the RSS feeds so that the user can see which titles are generating low or high sentiment quickly without having to execute any further search strings.

I have tried drilldown capability in the dashboard and cant get that to work as I want it to either.

Any help is much appreciated as I've been developing this APP for almost 4 months

0 Karma

Contributor

Hi,

I think your approach bases mostly on the "Pan and zoom chart controls" (Link). This should work basically. The one thing that will be "disabled" using another chart is the visual zoom itself. You will find yourself with a picked ranged within that chart.

My current test looks like the code below.

What exactly isn't working?

All the best,
Björn

    <dashboard>
      <label>Test</label>
      <row>
        <panel>
          <chart>
            <search>
              <query>index=_internal | timechart span=5m avg(timestartpos) as timestartpos avg(timeendpos) as timeendpos</query>
              <earliest>-1d@d</earliest>
              <latest>@d</latest>
            </search>
            <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
            ...
            <option name="charting.legend.placement">right</option>
            <selection>
              <set token="selection_earliest">$start$</set>
              <set token="selection_latest">$end$</set>
              <set token="start_data1">$start.timestartpos$</set>
              <set token="end_data1">$end.timestartpos$</set>
              <set token="start_data2">$start.timeendpos$</set>
              <set token="end_data2">$end.timeendpos$</set>
            </selection>
          </chart>
        </panel>
      </row>
      <row>
        <panel>          
          <table>            
            <search>
              <query>index=_internal | table _time timestartpos timeendpos | untable _time name data | stats min(data) avg(data) max(data) by name</query>
              <earliest>$selection_earliest$</earliest>
              <latest>$selection_latest$</latest>
            </search>
          </table>
        </panel>
        <panel>          
          <h3>Token values for the selection</h3>        
          <table border="0" cellpadding="12" cellspacing="0">
          <tr>
            <td>
                <p><b>Time range (epoch time)</b></p>
                <p><b>$$selection_earliest$$</b>: $selection_earliest$                  
<b>$$selection_latest$$</b>: $selection_latest$
            </td>
            <td>
                <p><b>Count at the begining and end of time range.</b></p>
                <p><b>$$start_data1$$</b>: $start_data1$                  
<b>$$end_data1$$</b>: $end_data1$
            </td>
            <td>
                <p><b>Count at the begining and end of time range.</b></p>
                <p><b>$$start_data2$$</b>: $start_data2$                  
<b>$$end_data2$$</b>: $end_data2$
            </td>
          </tr>
        </table>              
        </panel>  
      </row>
    </dashboard>
0 Karma

Communicator
<chart>
<title>Pan and Zoom (All source types)</title>
<searchString>
index=_internal | timechart count by sourcetype
</searchString>
<earliestTime>-7d@h</earliestTime>
<latestTime>now</latestTime>
. . .
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
<set token="start.splunk_web_access">$start.splunk_web_access$</set>
<set token="end.splunk_web_access">$end.splunk_web_access$</set>
</selection>
<chart>
<title>Pan and Zoom (Web access source type)</title>
<searchString>
index=_internal sourcetype=splunk_web_access
| timechart count by sourcetype
</searchString>
<earliestTime>$selection.earliest$</earliestTime>
<latestTime>$selection.latest$</latestTime>
. . .
</chart>

i think this example can help u try to use this code thanks and manage with your request

0 Karma

Explorer

This code is what I used to develop what I have above. I still can't get this to work. I would ideally like to just develop a drilldown but I can't get that to work either.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!