Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I hide a field from a chart but keep it on a drilldown?

igorsantos07
Explorer
‎11-13-2018 04:25 PM

I have a Dashboard with a graph and a drilldown table underneath it. The graph shows on the x-axis an eval field (concat of two strings), and I need those two strings on the drilldown table. However, if I hide those fields from the graph they don't get filled in the drilldown tokens, and if they're displayed, they make no sense on the graph.

I think it could also work, although it's a bit ugly. I could split the concatenated value into two tokens to be used in the drilldown search query, but I can't find how to do it.

Sample code:

  <chart>
    <search>
      <query>
        source="query.log" ac=main
        | stats AVG(time) as time, p95(time) as perc by controller, action
        | eval form=controller."/".action
        | sort -perc
        | fields form, time, perc, controller, action <!-- wanted to hide controller and action from graph -->
      </query>
    </search>
    <drilldown>
      <set token="main_form">$row.form$</set>
      <set token="main_controller">$row.controller$</set><!-- isn't filled if hidden at "fields" -->
      <set token="main_action">$row.action</set><!-- isn't filled if hidden at "fields" -->
    </drilldown>
  </chart>

Current result (with renamed fields and whatnot); ac/controller and af/action shouldn't be on the graph, but present on query so they can be used on drilldown:

sample

Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎11-17-2018 09:46 AM

@igorsantos07 seems like the form field that you have in your chart combines both controller and action fields. So you can use form field value on drilldown and use eval to split them into controller and action.

alt text
Following is a run anywhere Simple XML Dashboard Example based on Splunk's _internal index. It uses component and log_level fields to create form field. Only form field is displayed in the chart. Then using <eval> it splits form back to component and log_level tokens for drilldown.

Please try out and confirm!

<dashboard>
  <label>Chart Drilldown</label>
  <row>
    <panel>
      <title>tokComponent: $tokComponent$ | tokLogLevel: $tokLogLevel$</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd component=* log_level=* 
| stats avg(date_second) as time, p95(date_second) as perc by component, log_level 
| eval form=component."/".log_level 
| sort -perc 
| fields form, time, perc</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="height">409</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <eval token="tokComponent">mvindex(split($row.form$,"/"),0)</eval>
          <eval token="tokLogLevel">mvindex(split($row.form$,"/"),1)</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎11-17-2018 09:46 AM

@igorsantos07 seems like the form field that you have in your chart combines both controller and action fields. So you can use form field value on drilldown and use eval to split them into controller and action.

alt text
Following is a run anywhere Simple XML Dashboard Example based on Splunk's _internal index. It uses component and log_level fields to create form field. Only form field is displayed in the chart. Then using <eval> it splits form back to component and log_level tokens for drilldown.

Please try out and confirm!

<dashboard>
  <label>Chart Drilldown</label>
  <row>
    <panel>
      <title>tokComponent: $tokComponent$ | tokLogLevel: $tokLogLevel$</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd component=* log_level=* 
| stats avg(date_second) as time, p95(date_second) as perc by component, log_level 
| eval form=component."/".log_level 
| sort -perc 
| fields form, time, perc</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="height">409</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <eval token="tokComponent">mvindex(split($row.form$,"/"),0)</eval>
          <eval token="tokLogLevel">mvindex(split($row.form$,"/"),1)</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

igorsantos07
Explorer
‎11-19-2018 02:48 PM

aha! I knew there must be a split somewhere! thanks 🙂

0 Karma
Reply
Solved! Jump to solution

igorsantos07
Explorer
‎11-19-2018 02:55 PM

I would only suggest you remove all those chart options that are not relevant to the question I asked 😉

Reply
Solved! Jump to solution

niketn
Legend
‎11-19-2018 07:52 PM

@igorsantos07 they are the default chart configurations that got added while preparing the run anywhere example. As you would have figured out, <drilldown> is the only important section that I have modified. (Along with <option name="charting.drilldown">all</option>)

While providing run anywhere examples I tend to provide entire XML along with explanation of what is coded specifically for solving the problem. Taking out additional code is further work which I tend to avoid to save time 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎11-13-2018 09:39 PM

@igorsantos07,

Rename the controller and action to _controller and _action and use those field names in the drill down

| fields form, time, perc, controller, action|rename controller as _controller,action as _action

Tokens

       <set token="main_controller">$row._controller$</set>
       <set token="main_action">$row._action</set>

Here is a run anywhere example where _EmpId is not visible in table but the token is assigned with the _EmpId value

<dashboard>
  <label>Dashboard With Hidden Drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=5|eval Name="ABC"| streamstats count as _EmpId</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <set token="empid">$row._EmpId$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <html>
      <h1> Emp Id from drilldown is <font color="red">$empid$</font></h1>
    </html>
  </row>
</dashboard>
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

igorsantos07
Explorer
‎11-14-2018 06:13 PM

Actually, that didn't work for the drilldown. The fields got, indeed, hidden from the chart, but they still doesn't go into the tokens. If I take the underline both from the query (i.e. renaming to something else) and the $row.xyz$ part, it works, but the field gets back onto the chart. It's the same behavior I reported initially.

tokens

This was supposed to be fed by the tokens, but they only get the raw variable names - which I guess are the initial values:
alt text

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎11-14-2018 07:20 PM

@igorsantos07, did the sample xml dashboard work for you ? Can you please try that ? Which visualization you are using ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎11-14-2018 11:44 PM

Ok if you are using a chart, then the _field might not work . Simple CSS workaround could be an option 

  <row>
       <html depends="$dummyPanelForCSS$">
         <style>
           #myChartId g.highcharts-legend-item:nth-child(3)
           {
               visibility: hidden !important;
           }
         </style>
       </html>
  </row>

and add myChartId to your chart chart id="myChartId"

Example : 

<dashboard>
  <label>Dashboard With Hidden Drilldown</label>
  <row>
       <html depends="$dummyPanelForCSS$">
         <style>
           #myChart g.highcharts-legend-item:nth-child(3)
           {
               visibility: hidden !important;
           }
         </style>
       </html>
  </row>
  <row>
    <panel>
      <chart id="myChart">
        <search>
          <query>index=_*|stats count by index,sourcetype|eventstats sum(count) as _total|eval perc=round((count/_total)*100,0)."%"</query>
          <earliest>-1m@m</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <set token="empid">$row.perc$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <html>
      <h1> Emp Id from drilldown is <font color="red">$empid$</font>
        </h1>
    </html>
    </panel>
  </row>

</dashboard>
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

igorsantos07
Explorer
‎11-14-2018 02:34 PM

Wow! That old trick of "hiding" variables by using an underline prefix. Where would I find that in the docs? This should be hinted somewhere, I visited a bunch of answers and docs and whatnot and didn't find info on that.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...