Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help on a pie slice with drilldown
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I use the search below in order to display a pie chart and to change the label of each pie slice
`CPU`
| fields process_cpu_used_percent host process_name
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc" OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI")
| stats count by process_name
By clicking on a pie slice, I open a drilldown in order to display the events related to the pie slice
So I have added the advanced parameters
process_name = $click.value$
host = $tok_filterhost$
What is strange is that when I click on the "WMI" pie slice, I can display events in the drillwon but when I click on the "McAFEE" pie slice, I am not able to display events
What is wrong please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not clear how your drilldown tokens are being set, as that must be in a separate dashboard, but what I can see in that example is the line
search process_name=$process_name$ but if that token has a value that contains spaces, then it will be like doing
| search process_name=MS Telemetryand your process name will never be = "MS"
When you use tokens that may contain spaces, you should either do
| search process_name="$process_name$"
OR
| search process_name=$process_name|s$which will ensure you are quoting the token value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is anybody can't help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You responded "perfect, many thanks!!!" so presumably something worked? What is the issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like you have converted a lot of process names to McAFEE. When you do the drill down, do you convert McAFEE back to a list of possible process names?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have converse all sécurity processes to McAfee...
No in the driildown i use the same eval process_name than in the search form
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post your dashboard panel details - much easier to diagnose with all the information - how are you using the $process_name$ token in your subsequent search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here is the xml
<dashboard>
<label>CPU detail avec case</label>
<row>
<panel>
<table>
<search>
<query>
`CPU`
| fields process_cpu_used_percent host process_name
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc" OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI", process_name=="conhost", "CMD Windows console", process_name=="csrss" OR process_name=="System" OR process_name=="TiWorker" OR process_name=="msfeedssync" OR process_name=="msiexec" OR process_name=="rundll32" OR process_name=="services" OR process_name like "svchost%" OR process_name=="OneDriveSetup" OR process_name=="poqexec" OR process_name=="unsecapp" OR process_name=="TabTip" OR process_name=="Memory_Compression" OR process_name=="SetupHost" OR process_name=="WerFault" OR process_name=="explorer" OR process_name=="mscorsvw" OR process_name=="sppsvc" OR process_name=="ngen" OR process_name=="spoolsv" OR process_name=="SrTasks" OR process_name=="policyHost" OR process_name=="dwm" OR process_name=="perf-test-9c" OR process_name like "SearchProtocolHost%" OR process_name like "RuntimeBroker%" OR process_name like "LogonUI%", "Windows native process", process_name=="taskhost", "Tasks scheduler", process_name like "powershell%", "Powershell", process_name=="WINWORD", "Word", process_name=="chrome", "Chrome", process_name=="OUTLOOK", "Outlook", process_name like "CompatTelRunner%", "MS Telemetry", process_name like "iexplore%", "IE Explorer")
| search host=$host$
| search process_name=$process_name$
| stats values(_time) as _time, latest(process_cpu_used_percent) as "CPU used (%)" by host process_name
| eval "CPU used (%)"=round('CPU used (%)', 2)."%"
| sort -_time
| eval "CPU alert time" = strftime(_time, "%m/%d/%Y %H:%M")
| rename host as Hostname, process_name as "Process name"
| table "CPU alert time" Hostname "Process name" "CPU used (%)"</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</dashboard>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not clear how your drilldown tokens are being set, as that must be in a separate dashboard, but what I can see in that example is the line
search process_name=$process_name$ but if that token has a value that contains spaces, then it will be like doing
| search process_name=MS Telemetryand your process name will never be = "MS"
When you use tokens that may contain spaces, you should either do
| search process_name="$process_name$"
OR
| search process_name=$process_name|s$which will ensure you are quoting the token value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have spoken too fast...
its very strange now it works for WMI and Windows native process but for example not for MS Telemetry!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect, many thanks!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you might have a problem with your drilldown query but it is difficult to be certain without further information
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry...
in fact, it works just for
I have spoken too fast...
its very strange now it works for WMI and Windows native process but for example not for MS Telemetry!
October Community Champions: A Shoutout to Our Contributors!
Community Content Calendar, November Edition
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
