Dashboards & Visualizations

Why does only 1 of 3 conditional drilldowns work as expected with my current dashboard search?

garinapavan
Explorer

I have a dashboard with one search and basically it has 3 conditional drilldowns routing to 3 different dashboards. My first conditional drilldown works perfectly, but the rest are not working. Not sure where I'm going wrong. Any help is appreciated.

In the dashboard, this is my search:

sourcetype=opl_soa RFault="remoteFault" source="/logs/SOA_MS*-diagnostic.log" host="mialvsoaap0*p" | append [search BFault="bindingFault" source="/logs/SOA_MS*-diagnostic.log" host="mialvsoaap0*p"] | append [search BusinessFault ="business fault" source="/logs/SOA_MS*-diagnostic.log" host="mialvsoaap0*p"]|timechart span=5m count(RFault) as RemoteFaults, count(BFault="bindingFault") as BindingFaults,count(BusinessFault ="business fault") as BusinessFaults

and I have 3 drilldowns pointing to 3 different dashboards in the main dashboard where the above search is residing.

First one works and the other two do not. Any suggestions? Attached the code image:
alt text

0 Karma
1 Solution

dolivasoh
Contributor

I believe you should put all three condition blocks within one drilldown block instead of separate ones.

View solution in original post

dolivasoh
Contributor

I believe you should put all three condition blocks within one drilldown block instead of separate ones.

martin_mueller
SplunkTrust
SplunkTrust

You can put anything you like in an html panel, including links. http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/PanelreferenceforSimplifiedXML#html

0 Karma

garinapavan
Explorer

Thank You ! it worked . one more question .

On the Main dash board , i have a timer on the panel and if i want to default it to last 4 hours . how can i do that ?

the reason is if i drill down to some other page and get back to main dashboard , My timer on the main dashboard will start pulling "ALL time " by default and i want it to be defaulted to 4 hours and if anybody want to search based on some other time , then they can set it to some other time like last 24 hors , last 60 mins etc .

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Edit panels (top right corner), edit time range picker (pencil icon), select default time range you like.

garinapavan
Explorer

Thanks a lot for help ! it worked .

0 Karma

garinapavan
Explorer

Thank You ! it worked .

One more question ..

Is there any option where I can traversere from Sub dashboards to Main Dashboard ?

For example i have one Main dashboard where in i can drill down to 3 sub sub dashboards .

When i go to sub dashboard , can i have a link pointing to Main Dashboard and after clicking it routes to main dashboard ?

-pavan

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Slightly off-topic: Do not append three searches to each other. Instead, use OR:

sourcetype=opl_soa source="/logs/SOA_MS*-diagnostic.log" host="mialvsoaap0*p" (RFault="remoteFault" OR BFault="bindingFault" OR BusinessFault="business fault" | timechart ...

Should run much faster.

0 Karma

garinapavan
Explorer

H Martin ,

Do you have any idea/ suggestions about this thread ?

https://answers.splunk.com/answers/399941/adding-colors-based-on-search-results.html

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...