Dashboards & Visualizations

Why is drilldown not working properly?

aditsss
Builder

Hi Team,

I have two panels . For my 1st panel the query is:

<title>DataGraphNodes Exceptions Details</title>
<table>
<search>
<query>index=abc ns=sidh-datagraph3-c2 OR sidh-datagraph3 nodeException node="*" |rex field=_raw "message=(?P&lt;datetime&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"|stats count by ns app_name node nodeMethodName nodeException datetime |rename node as "Node"| rename nodeMethodName as "NodeMethod"|rename nodeException as "Node-Exception" | rename datetime as "Log_Time"|fields - count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value">$click.value$</set>
</drilldown>
</table>

 

And I am getting result like this:

ns                                        app-name                   Node        Node method                Exception   Log-Time

sidh-datagraph3  data-graph-acct-b          https       getDetailsBySENo             Invalid Id                2022-06-21

sidh2                          data-acct-b                      https          invalid                                    InvalidId                2022-06-22

 

Foe 2nd panel I want when I click on 1st panel row the details should come based on the row I will select on 1st panel.

My 2nd panel query is:

<panel depends="$show_panel$">
<table>
<title> Events</title>
<search>
<query>index=abc ns=sidh-datagraph3-c2 OR sidh-datagraph3 nodeException $node$ $selected_value$ </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

 

But its not coming proper in 2nd panel all the results are coming. I want only the row that I select in 1st panel that exception will come.

Can someone guide me.

Labels (3)
0 Karma

gcusello
Legend

Hi @aditsss,

you should see in the splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) there's an example that exactly answers to your need: "In-page Drilldown with Perma-Linking".

Anyway, the problem is that with click.value you tale only one value, instead you have to take more values, so, use the $row.<field>$ option to set values:

<set token="node">$row.node$</set>
<set token="selected_value">$row.selected_value$</set>

 Ciao.

Giuseppe

0 Karma

aditsss
Builder

@gcusello 

I made the below changes in 1st panel dashboard

<title>DataGraphNodes Exceptions Details</title>
<table>
<search>
<query>index=abc ns=sidh-datagraph3-c2 OR sidh-datagraph3 nodeException node="*" |rex field=_raw "message=(?P&lt;datetime&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"|stats count by ns app_name node nodeMethodName nodeException datetime |rename node as "Node"| rename nodeMethodName as "NodeMethod"|rename nodeException as "Node-Exception" | rename datetime as "Log_Time"|fields - count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<drilldown>
<set token="show_panel">true</set>
<set token="node">$row.node$</set>
<set token="selected_value">$row.selected_value$</set>
</drilldown>
</table>
</panel>

 

NO RESULT FOUND IS COMING IN 2ND DASHBORAD

0 Karma

gcusello
Legend

Hi @aditsss,

what's the search in panle2?

you should try:

index=abc ns=sidh-datagraph3-c2 OR sidh-datagraph3 nodeException node="$node$" selected_value="$selected_value$"

then check if the fields in panel2 are correct and if the values from Panel1 match some value in panel 2.

Ciao.

Giuseppe

0 Karma

aditsss
Builder

@gcusello 

 

The data is still not coming in 2nd panel

My 1st panel query

<panel>
<title>DataGraphNodes Exceptions Details</title>
<table>
<search>
<query>index=abc ns=sidh-datagraph3-c2 OR sidh-datagraph3 nodeException node="*" |rex field=_raw "message=(?P&lt;datetime&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"|stats count by ns app_name node nodeMethodName nodeException datetime |rename node as "Node"| rename nodeMethodName as "NodeMethod"|rename nodeException as "Node-Exception" | rename datetime as "Log_Time"|fields - count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<drilldown>
<set token="show_panel">true</set>t>
<set token="selected_value">$row.selected_value$</set>
</drilldown>
</table>
</panel>

My 2nd panel query

<panel depends="$show_panel$">
<table>
<title> Events</title>
<search>
<query>index=abc ns=sidh-datagraph3-c2 OR sidh-datagraph3 nodeException node="*" selected_value="$selected_value$" </query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="count">100</option>
</table>
</panel>

0 Karma

gcusello
Legend

Hi @aditsss,

as I said:

first check:

  • what are the fields to pass as tokens from the first and the second panel?
  • Are you sure that they have the same field name?

second check:

  • what's an example of values of the first panel that matches in the second panel?
  • you should manually test this.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...