Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on a pie slice with drilldown

jip31
Motivator
‎11-22-2020 02:25 AM

Hi

I use the search below in order to display a pie chart and to change the label of each pie slice

 

 

 `CPU` 
| fields process_cpu_used_percent host process_name 
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc" OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI")
| stats count by process_name

 

 By clicking on a pie slice, I open a drilldown in order to display the events related to the pie slice 

So I have added the advanced parameters 

 

process_name = $click.value$
host = $tok_filterhost$

 

What is strange is that when I click on the "WMI" pie slice, I can display events in the drillwon but when I click on the "McAFEE" pie slice, I am not able to display events

What is wrong please??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-22-2020 08:44 PM

@jip31 

It's not clear how your drilldown tokens are being set, as that must be in a separate dashboard, but what I can see in that example is the line

search process_name=$process_name$

but if that token has a value that contains spaces, then it will be like doing

| search process_name=MS Telemetry

and your process name will never be = "MS"

When you use tokens that may contain spaces, you should either do

| search process_name="$process_name$"

OR

| search process_name=$process_name|s$

which will ensure you are quoting the token value.

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-26-2020 02:03 AM

Is anybody can't help?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-26-2020 02:14 AM

You responded "perfect, many thanks!!!" so presumably something worked? What is the issue?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2020 07:21 AM

It looks like you have converted a lot of process names to McAFEE. When you do the drill down, do you convert McAFEE back to a list of possible process names?

Reply
Solved! Jump to solution

jip31
Motivator
‎11-22-2020 08:05 AM

I have converse all sécurity processes to McAfee...

No in the driildown i use the same eval process_name than in the search form

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-22-2020 03:55 PM

Can you post your dashboard panel details - much easier to diagnose with all the information - how are you using the $process_name$ token in your subsequent search?

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-22-2020 08:35 PM

here is the xml

 

<dashboard>
  <label>CPU detail avec case</label>
  <row>
    <panel>
      <table>
        <search>
          <query>
    `CPU` 
| fields process_cpu_used_percent host process_name 
| eval time = strftime(_time, "%m/%d/%Y %H:%M") 
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc" OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI", process_name=="conhost", "CMD Windows console", process_name=="csrss" OR process_name=="System" OR process_name=="TiWorker" OR process_name=="msfeedssync" OR process_name=="msiexec" OR process_name=="rundll32" OR process_name=="services" OR process_name like "svchost%" OR process_name=="OneDriveSetup" OR process_name=="poqexec" OR process_name=="unsecapp" OR process_name=="TabTip" OR process_name=="Memory_Compression" OR process_name=="SetupHost" OR process_name=="WerFault" OR process_name=="explorer" OR process_name=="mscorsvw" OR process_name=="sppsvc" OR process_name=="ngen" OR process_name=="spoolsv" OR process_name=="SrTasks" OR process_name=="policyHost" OR process_name=="dwm" OR process_name=="perf-test-9c" OR process_name like "SearchProtocolHost%" OR process_name like "RuntimeBroker%" OR process_name like "LogonUI%", "Windows native process", process_name=="taskhost", "Tasks scheduler", process_name like "powershell%", "Powershell", process_name=="WINWORD", "Word", process_name=="chrome", "Chrome", process_name=="OUTLOOK", "Outlook", process_name like "CompatTelRunner%", "MS Telemetry", process_name like "iexplore%", "IE Explorer") 
| search host=$host$ 
| search process_name=$process_name$ 
| stats values(_time) as _time, latest(process_cpu_used_percent) as "CPU used (%)" by host process_name 
| eval "CPU used (%)"=round('CPU used (%)', 2)."%" 
| sort -_time 
| eval "CPU alert time" = strftime(_time, "%m/%d/%Y %H:%M") 
| rename host as Hostname, process_name as "Process name" 
| table "CPU alert time" Hostname "Process name" "CPU used (%)"</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-22-2020 08:44 PM

@jip31 

It's not clear how your drilldown tokens are being set, as that must be in a separate dashboard, but what I can see in that example is the line

search process_name=$process_name$

but if that token has a value that contains spaces, then it will be like doing

| search process_name=MS Telemetry

and your process name will never be = "MS"

When you use tokens that may contain spaces, you should either do

| search process_name="$process_name$"

OR

| search process_name=$process_name|s$

which will ensure you are quoting the token value.

 

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-22-2020 11:17 PM

I have spoken too fast...

its very strange now it works for WMI and Windows native process but for example not for MS Telemetry!

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-22-2020 10:47 PM

perfect, many thanks!!!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2020 10:52 AM

It sounds like you might have a problem with your drilldown query but it is difficult to be certain without further information

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-26-2020 04:20 AM

Sorry...

in fact, it works just for 

I have spoken too fast...

its very strange now it works for WMI and Windows native process but for example not for MS Telemetry!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...