Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

create a drill-down multiple condition

vshakur
Path Finder
‎04-07-2018 04:05 AM

Hello,

Is it possible to set a drill-down condition only for the cells of a specific column but to exclude one cell.

For example:
row a | row b | row c |
--------|---------|---------|
a1 | b1 | c1
a2 | b2 | c2
a3 | b3 | c3

I'd like to be able to press only the values under "row a" but to also exclude the last value "a3".

Please help me achieve this goal

Thanks,
Sam

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-07-2018 09:35 AM

@vshakur if you are on Splunk 6.5 or higher easiest option for you to be use add a Total Table Summary row which can not be used for Drilldown: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsFormatting#Totals_summary_row

This way your drilldown code would be enabled only for "row a" and Total row will not have drilldown enabled.

Otherwise you will have to use $row.yourfieldname$ to check for value Total and not perform any drilldown action.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-07-2018 09:35 AM

@vshakur if you are on Splunk 6.5 or higher easiest option for you to be use add a Total Table Summary row which can not be used for Drilldown: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsFormatting#Totals_summary_row

This way your drilldown code would be enabled only for "row a" and Total row will not have drilldown enabled.

Otherwise you will have to use $row.yourfieldname$ to check for value Total and not perform any drilldown action.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

niketn
Legend
‎04-07-2018 10:09 AM

@vshakur, I have converted my comment to answer. If it worked for you, please accept the same to mark this question as answered. If you need further details, do let us know. 🙂 Happy Weekend!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

vshakur
Path Finder
‎04-07-2018 10:18 AM

Thanks but I'm still stuck.
Using Total Table Summary is not an option since some of the columns represent percentages and I don't want them to be summed up.

I have the following code:

<drilldown>
  <condition field="Environment">
    <eval token="form.environment_token">$click.value$</eval>
  </condition>
</drilldown>

But I'm having trouble to add another condition to the existing one. Besides the field="Environment" condition I need to verify that the user won't be able to press the last cell in the column labeled Total

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-07-2018 10:55 PM

Following is run anywhere example with Table Summary Row added. You can hide Total of percent column using CSS. Try the following run anywhere dashboard:

<dashboard>
  <label>Table Summary Row CSS</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSPanel$">
        <style>
          #tableWithSummary tbody tr:last-child td:last-child{
            visibility:hidden !important;
          }
          #tableWithSummary tbody tr:last-child td{
            background: #fff !important;
            font-weight: bold !important;
          }
        </style>
      </html>
      <table id="tableWithSummary">
        <search>
          <query>index=_internal sourcetype=splunkd
| top 5 component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">true</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Following is a run anywhere example with addtotals and eval to set token on Drilldown from the field count. In case the component value is Total (i.e. for the final row) then token is unset by not defining the default condition of the case statement.

    <panel>
      <table id="tableWithSummary2">
        <title>$tokClickedValue$</title>
        <search>
          <query>index=_internal sourcetype=splunkd
| top 5 component
| addtotals col=t row=f labelfield=component label=Total
| eval percent=case(component!="Total",percent)
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="count">
            <eval token="tokClickedValue">case($row.component$!="Total",$row.count$)</eval>
          </condition>
          <condition>
                <!-- Do not drilldown for other fields-->
            </condition>
        </drilldown>
      </table>
    </panel>

Please try out both options and confirm.
PS: you can also code drilldown to pick only the count field no matter which field is clicked, using the $row.count$ value.

        <drilldown>
            <eval token="tokClickedValue">case($row.component$!="Total",$row.count$)</eval>
        </drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

vshakur
Path Finder
‎04-08-2018 02:55 AM

The last one did the trick. Thanks.

Reply
Solved! Jump to solution

rjthibod
Champion
‎04-07-2018 04:25 AM

The answer I can think of is it depends. In my mind, you would need to have a column that can label the horizontal row you want to exclude, e.g., exclude anything that belongs to the last row that has a label "Totals". Do you have any way of labeling the values you want to exclude? Or is it always the last value in the column?

0 Karma
Reply
Solved! Jump to solution

vshakur
Path Finder
‎04-07-2018 09:06 AM

It's both. It's both the last row and It's always labeled "Total"

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎04-07-2018 03:09 PM

what is the name of the column that contains the label "Total"?

0 Karma
Reply
Solved! Jump to solution

vshakur
Path Finder
‎04-08-2018 12:38 AM

Environment

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
li.common.scroll-to.top