Hi, I have been struggling with this situation. I have the query and I need to get the events for that query.
My search query:
index=fruit sourcetype=apple "searchQueryOne" | stats count as total_calls
| appendcols [ search "search query two" | stats count as call_one]
| appendcols [search "search query three" | stats count as call_two]
the Events appear to be as
| 130 | 70 | 50 |
when I CLICK ON THE NUMBER 130 or 70 or 50, it must display the events, instead, it is taking to my first query ndex=fruit sourcetype=apple "searchQueryOne". please help me to how to display the events when clicked on numbers.
@mmengu416 what is the index sourcetype and searchQuery for Search Query Two and Search Query Three? For the community to assist you better please add more details.
Ideally if you have three separate searches rather than using a subsearch appendcols you can bring the data from three searches in single shot. Following is an approach using Splunk's Internal indexes:
(index=_internal sourcetype=splunkd log_level!=INFO) OR (index=_audit sourcetype=audittrail action=search) OR (index="_introspection" sourcetype=splunk_resource_usage log_level=INFO) | stats count(eval(index=="_internal" AND sourcetype=="splunkd")) as "total_calls", count(eval(index=="_audit" AND sourcetype=="audittrail")) as "call_one", count(eval(index=="_introspection" AND sourcetype=="splunk_resource_usage")) as "call_two"
You can use drilldown to code filter query as per the column and row value clicked which would filter specific dataset. For the drilldown also you would need to provide more details as to what exactly is your use case or else refer to Splunk Drilldown documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro#Choose_a_drilldown_action
@mmengu416 first concern should always be about search query then you should think about presentation. A query with does not perform or has sub search limitation may not give you intended results when there are better ways to write the same search.
Pulling data three times using subsearch when you could have pulled the same in single shot when the index is the same for all of them. Refer to the conf talk by Nick Mealy @sideview on Master Joining Your Datasets Without Using Join
Coming to your question if the index is the same and only search query changes. Could you please add more details on what in your search query changes? Also did you get a chance to explore how you can change the drilldown interaction as compared to default as per your use case? Is the drilldown required from a Dashboard or from a Saved Search? What is the visualization in the dashboard or saved search? and Is the drilldown action to run a search in new window?
Hi, I can already see the count for total_calls, call_one, call_two
I want to display the events of "total_calls, call_one, call_two" when clicked on them.
lets say I want to see all the call_one events, when I click on the number "70" which is the stats count for call_one, it should take me only to those events.