Splunk Search

create a drill-down multiple condition

Path Finder

Hello,

Is it possible to set a drill-down condition only for the cells of a specific column but to exclude one cell.

For example:
row a | row b | row c |
--------|---------|---------|
a1 | b1 | c1
a2 | b2 | c2
a3 | b3 | c3

I'd like to be able to press only the values under "row a" but to also exclude the last value "a3".

Please help me achieve this goal

Thanks,
Sam

0 Karma
1 Solution

Legend

@vshakur if you are on Splunk 6.5 or higher easiest option for you to be use add a Total Table Summary row which can not be used for Drilldown: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsFormatting#Totals_summary_row

This way your drilldown code would be enabled only for "row a" and Total row will not have drilldown enabled.

Otherwise you will have to use $row.yourfieldname$ to check for value Total and not perform any drilldown action.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Legend

@vshakur if you are on Splunk 6.5 or higher easiest option for you to be use add a Total Table Summary row which can not be used for Drilldown: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsFormatting#Totals_summary_row

This way your drilldown code would be enabled only for "row a" and Total row will not have drilldown enabled.

Otherwise you will have to use $row.yourfieldname$ to check for value Total and not perform any drilldown action.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Legend

@vshakur, I have converted my comment to answer. If it worked for you, please accept the same to mark this question as answered. If you need further details, do let us know. 🙂 Happy Weekend!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Thanks but I'm still stuck.
Using Total Table Summary is not an option since some of the columns represent percentages and I don't want them to be summed up.

I have the following code:

<drilldown>
  <condition field="Environment">
    <eval token="form.environment_token">$click.value$</eval>
  </condition>
</drilldown>

But I'm having trouble to add another condition to the existing one. Besides the field="Environment" condition I need to verify that the user won't be able to press the last cell in the column labeled Total

0 Karma

Legend

Following is run anywhere example with Table Summary Row added. You can hide Total of percent column using CSS. Try the following run anywhere dashboard:

<dashboard>
  <label>Table Summary Row CSS</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSPanel$">
        <style>
          #tableWithSummary tbody tr:last-child td:last-child{
            visibility:hidden !important;
          }
          #tableWithSummary tbody tr:last-child td{
            background: #fff !important;
            font-weight: bold !important;
          }
        </style>
      </html>
      <table id="tableWithSummary">
        <search>
          <query>index=_internal sourcetype=splunkd
| top 5 component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">true</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Following is a run anywhere example with addtotals and eval to set token on Drilldown from the field count. In case the component value is Total (i.e. for the final row) then token is unset by not defining the default condition of the case statement.

    <panel>
      <table id="tableWithSummary2">
        <title>$tokClickedValue$</title>
        <search>
          <query>index=_internal sourcetype=splunkd
| top 5 component
| addtotals col=t row=f labelfield=component label=Total
| eval percent=case(component!="Total",percent)
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="count">
            <eval token="tokClickedValue">case($row.component$!="Total",$row.count$)</eval>
          </condition>
          <condition>
                <!-- Do not drilldown for other fields-->
            </condition>
        </drilldown>
      </table>
    </panel>

Please try out both options and confirm.
PS: you can also code drilldown to pick only the count field no matter which field is clicked, using the $row.count$ value.

        <drilldown>
            <eval token="tokClickedValue">case($row.component$!="Total",$row.count$)</eval>
        </drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Path Finder

The last one did the trick. Thanks.

Champion

The answer I can think of is it depends. In my mind, you would need to have a column that can label the horizontal row you want to exclude, e.g., exclude anything that belongs to the last row that has a label "Totals". Do you have any way of labeling the values you want to exclude? Or is it always the last value in the column?

0 Karma

Path Finder

It's both. It's both the last row and It's always labeled "Total"

0 Karma

Champion

what is the name of the column that contains the label "Total"?

0 Karma

Path Finder

Environment

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!