Dashboards & Visualizations

Drilldown linking passing value from one panel to another in a dashboard

shabdadev
Engager

Hi All

<form>
  <label>demo</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label>time</label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>demo1</title>
      <table>
        <search>
          <query>index=ihs host=losat  sourcetype=ihs_acc 

(
URLRedefined="/wcs/resource/store/101" 
)

| eval URL=

case
(
match(URLRedefined,"\/wcs\/resource\/store\/101"),"/wcs/resources/store/101"

) | lookup sla1.csv url as URL OUTPUT SLA |  eval RespTime=round(ResponseTime/1000,3) | eval sla_status = if(RespTime>SLA, "Alert !! SLA Breached", "Happy !! Under SLA")  | 

stats count as "Total Hits" perc95(RespTime) as "95th Percentile Response Time"  by URL sla_status Method | rename sla_status as "SLA Status" | sort "SLA Status"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="SLA Status">
          <colorPalette type="map">{"Abey !! SLA Breach Ho Gaya":#D93F3C,"Happy !! Under SLA":#65A637}</colorPalette>
        </format>
        <drilldown>
          <link>/en-US/app/search/demo?</link>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>graph</title>
        <search>
          <query>index=ihs host=losat  sourcetype=ihs_acc URLRedefined=$click.value$ | eval RespTime=round(ResponseTime/1000,3)  | timechart perc95(RespTime)</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
  </row>
</form>

In the above source code ..there are 2 panels ...one is demo and other is graph
My condition is :

when the results for first panel are displayed and when i click on URL column value

a timechart should display in the second panel named graph

Problem is i am not able to drilldown link the URL and then use it in second panel query using token.
I have gone through the splunk tutorial but that doesn't seems to be explaining in layman terms .

0 Karma
1 Solution

HiroshiSatoh
Champion

Try this!

※click.value
The value in the far left column of the clicked row.

         <drilldown>
           <link>/en-US/app/search/demo?</link>
         </drilldown>
↓
         <drilldown>
           <set token="URLRedefined_tok">$click.value$</set>
         </drilldown>


 <query>index=ihs host=losat  sourcetype=ihs_acc URLRedefined=$click.value$ 
↓
 <query>index=ihs host=losat  sourcetype=ihs_acc URLRedefined=$URLRedefined_tok$ 

View solution in original post

0 Karma

niketn
Legend

You can set token tokURL, using default tokens for the table $row.<fieldname>$. In your case it is the URL field so the token to be used is $row.URL$ to access the URL value of clicked row. As the name indicated you can click anywhere on the row to set required token for drilldown. As per your question I have used condition block with field="URL" to set the token only when the selected column/field is URL.

    <drilldown>
       <!-- URL field is clicked - Set URL Token -->
       <condition field="URL">
           <set token="tokURL">$row.URL$</set>
       </condition>
       <!-- Other field is selected - Do nothing -->
       <condition>
             <!-- DO NOTHING -->
       </condition>
     </drilldown>

Then use tokURL in your second Panel search. Also use depends to show/hide timechart only when the value of URL is present. PS: it can be applied to row, panel, chart based on what you need to show/hide based on whether tokURL is set or not.

   <row depends="$tokURL$">
     <panel>
       <chart>
         <title>graph</title>
         <search>
           <query>index=ihs host=losat  sourcetype=ihs_acc URLRedefined=$tokURL$ 
| eval RespTime=round(ResponseTime/1000,3)
| timechart perc95(RespTime)</query>
...
...

If you want to explore some examples best resource is Splunk 6.x Dashboard Examples App from Splunkbase, which has several examples for drilldown. If you are on Splunk 6.6 then drilldown events can directly be handled via UI Editor.
Following are references from Splunk Documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#table_2
http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Visualization_event_han...
http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_tokens_for_conditional_operatio...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

HiroshiSatoh
Champion

Try this!

※click.value
The value in the far left column of the clicked row.

         <drilldown>
           <link>/en-US/app/search/demo?</link>
         </drilldown>
↓
         <drilldown>
           <set token="URLRedefined_tok">$click.value$</set>
         </drilldown>


 <query>index=ihs host=losat  sourcetype=ihs_acc URLRedefined=$click.value$ 
↓
 <query>index=ihs host=losat  sourcetype=ihs_acc URLRedefined=$URLRedefined_tok$ 
0 Karma

shabdadev
Engager

Hi
Thanks a lot
I think this type of explanation is needed ....i went through whole doc of drilldown but couldnt got through 🙂

Thanks again.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...