I've searched and found all sorts of advice and links to articles, but nothing has worked. Granted I am a Splunk newbie, so I am more than willing to accept I've done something completely daft - in which case, I welcome all feedback about how I might improve my dashboard, not just the drilldown.
I have a dashboard that looks kinda like this:
<row>
<panel>
<table>
<title>Top 20 Daily Viewers</title>
<search>
<query>sourcetype=wiki_users site="BLAH" username!="-" | stats count by username | lookup FRIENDLY_USERNAMES samaccountname as username | eval displayname=if(isnull(displayname),username,displayname) | sort -count | head 20 | table displayname, count | rename displayname AS "User name", count AS "Number of times of viewed"</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
The lookup takes a user name like gcampbe1 and replaces it with Graham Campbell (Docs) and so on.
What I now need is to be able to click on Graham Campbell (Docs) to see exactly which articles in the wiki he's been looking at, not just his daily count of articles. But because I've used the lookup, I can't pass Graham Campbell (Docs) using the click.value token because I need gcampbe1, which is in the username field.
I thought I would be able to use $row.username$ in the drilldown link to a follow-on query, but that never works. Instead, the literal string "$row.username$" gets passed to the drilldown search, which of course produces nothing. Here's how I formatted that:
<option name="drilldown">row</option>
<drilldown>
<link>search?q=sourcetype=confluence_access site="BLAH" username="$row.username$" | stats count by url</link>
</drilldown>
This is driving me absolutely nuts now so I would really appreciate any and all input here.
Cheers,
G
... View more