Splunk + VictorOps

Display events for the append/join/appendcol statements

mmengu416
New Member

Hi, I have been struggling with this situation. I have the query and I need to get the events for that query.
please help!
My search query:
index=fruit sourcetype=apple "searchQueryOne" | stats count as total_calls
| appendcols [ search "search query two" | stats count as call_one]
| appendcols [search "search query three" | stats count as call_two]
the Events appear to be as
|total_calls|call_one|call_two |
| 130 | 70 | 50 |
My question:
when I CLICK ON THE NUMBER 130 or 70 or 50, it must display the events, instead, it is taking to my first query ndex=fruit sourcetype=apple "searchQueryOne". please help me to how to display the events when clicked on numbers.

Thank you

Labels (2)
Tags (1)
0 Karma

niketnilay
Legend

@mmengu416 what is the index sourcetype and searchQuery for Search Query Two and Search Query Three? For the community to assist you better please add more details.

Ideally if you have three separate searches rather than using a subsearch appendcols you can bring the data from three searches in single shot. Following is an approach using Splunk's Internal indexes:

(index=_internal sourcetype=splunkd log_level!=INFO) OR (index=_audit sourcetype=audittrail action=search) OR (index="_introspection" sourcetype=splunk_resource_usage log_level=INFO)
| stats count(eval(index=="_internal" AND sourcetype=="splunkd")) as "total_calls",
    count(eval(index=="_audit" AND sourcetype=="audittrail")) as "call_one",
    count(eval(index=="_introspection" AND sourcetype=="splunk_resource_usage")) as "call_two"

You can use drilldown to code filter query as per the column and row value clicked which would filter specific dataset. For the drilldown also you would need to provide more details as to what exactly is your use case or else refer to Splunk Drilldown documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro#Choose_a_drilldown_action

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mmengu416
New Member

@niketnilay
It is the same search query for all the search queries.
it's not about search queries, it's about how do I display the EVENTS of the search and subsearch

0 Karma

mmengu416
New Member

I mean same index and source type for all the search and subsearch queries, I need to display the events

0 Karma

niketnilay
Legend

@mmengu416 first concern should always be about search query then you should think about presentation. A query with does not perform or has sub search limitation may not give you intended results when there are better ways to write the same search.

Pulling data three times using subsearch when you could have pulled the same in single shot when the index is the same for all of them. Refer to the conf talk by Nick Mealy @sideview on Master Joining Your Datasets Without Using Join

Coming to your question if the index is the same and only search query changes. Could you please add more details on what in your search query changes? Also did you get a chance to explore how you can change the drilldown interaction as compared to default as per your use case? Is the drilldown required from a Dashboard or from a Saved Search? What is the visualization in the dashboard or saved search? and Is the drilldown action to run a search in new window?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

to4kawa
SplunkTrust
SplunkTrust

What are the specific events you want to display, as summarized in stats?

All 130 events?

0 Karma

mmengu416
New Member

Hi, I can already see the count for total_calls, call_one, call_two
I want to display the events of "total_calls, call_one, call_two" when clicked on them.
lets say I want to see all the call_one events, when I click on the number "70" which is the stats count for call_one, it should take me only to those events.

Please answer

0 Karma

to4kawa
SplunkTrust
SplunkTrust

The numbers displayed on the dashboard can only be displayed using the eventstats or the query must be rewritten.

0 Karma