Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Drilldown chart needs a different query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wwhitener
Communicator
01-27-2012
10:37 AM
Greetings,
I am doing the Advanced XML and I have a bar chart showing the results of a summary query--the count of values over a time period. I want to click on a bar and have a second graph appear showing how the value compares to the results over time--the minimum value so far, the maximum value so far, the average, etc. When I try to put in the second graph, I can hardcode in the values and it works fine. When I try to use the click.name ($click.name$) or ($click.value$), the query fails.
Has anyone else seen this?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wwhitener
Communicator
01-30-2012
07:33 AM
More information....
I actually got it to work without Sideview Utils and using multiple variables.
- I had a split-by clause in my highest level search. So, I ended up using a mix of click.name, click.value, click.name2 & click.value2.
- In order to capture every variable, I had to nest the ConvertToIntention modules. There's a mightily abbreviated version (in case I forget 😛 ) below.
- I read somewhere that the drilldown freaks a bit when using the stats command in the parent chart, so I ended up changing my query away from that. However, streamstats seems to work just fine, so I don't know.
Now if I could just figure out how to get the chart to hide the child chart and results--to reverse the drilldown......
Cheers!
<!-- Panel 2 has the overall counts -->
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">source=mysource.log | chart count(field1) over field2 by field1</param>
<param name="earliest">-1d</param>
<module name="TimeRangePicker">
<param name="default">Today</param>
<param name="searchWhenChanged">True</param>
<module name="HiddenChartFormatter">
<param name="charting.primaryAxisTitle.text">(Field2) Counts</param>
<param name="charting.secondaryAxisTitle.text">Count of Events</param>
<param name="charting.legend.placement">none</param>
<param name="charting.chart">column</param>
<param name="charting.seriesColors">[0xf055FF, 0xfC0000, 0x0FFF66]</param>
<param name="charting.chart.style">shiny</param>
<param name="charting.legend.masterLegend" />
<param name="charting.legend">legend</param>
<param name="charting.legend.placement">left</param>
<param name="charting.legend.labelStyle.maximumWidth">500</param>
<param name="charting.legend.labelStyle.defaultTextFormat">{italic:true,size:14}</param>
<module name="JobProgressIndicator" />
<!-- This is the totals chart to click on -->
<module name="FlashChart">
<param name="width">75%</param>
<param name="height">250px</param>
<!-- Begin the drill down custom coding -->
<!-- Start Simple results header -->
<!-- For any query, use this to determine your variables and values -->
<!-- Note, click.value, click.value2, click.name, click.name2 -->
<module name="SimpleResultsHeader">
<param name="entityName">events</param>
<!-- Note: Additional $time$, $count$ here -->
<param name="headerFormat">Found $count$ event(s) for field2=$click.value$ and field1=$click.name2$ $time$</param>
</module>
<!-- End Simple Results header -->
<!-- This is an inner chart and search to show statistics on the barchart click -->
<module name="HiddenSearch">
<param name="search">source=mysource.log field2=$value2$ field1=$value1$ | timechart count(field2) as MyCount | streamstats avg(MyCount) as AvgCount, min(MyCount) as MinCount, max(MyCount) as MaxCount </param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="value2">
<param name="value">$click.value$</param>
</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<param name="flags">
<list>indexed</list>
</param>
</param>
<!-- This inner ConvertToIntention takes care of the second $event$ variable -->
<module name="ConvertToIntention">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="value1">
<param name="value">$click.name2$</param>
</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<param name="flags">
<list>indexed</list>
</param>
</param>
<module name="JobProgressIndicator"/>
<!-- The inner chart to display -->
<module name="HiddenChartFormatter">
<param name="charting.primaryAxisTitle.text">Drilldown Counts</param>
<param name="charting.secondaryAxisTitle.text">Count of Events</param>
<param name="charting.legend.placement">left</param>
<param name="charting.seriesColors">[0x0099FF, 0xCC66FF, 0xFF3333, 0x3333FF]</param>
<param name="charting.chart.style">shiny</param>
<param name="charting.chart">line</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">150px</param>
</module>
</module>
<!-- End of inner HiddenChartFormatter -->
<!-- Now to add Results -->
<module name="Paginator">
<param name="entityName">events</param>
<param name="maxPages">10</param>
<module name="EventsViewer">
<param name="segmentation">full</param>
<param name="reportFieldLink">report_builder_format_report</param>
</module>
</module>
<!-- End the Results -->
</module>
<!-- end of second ConvertToIntention -->
</module>
<!-- End of outer ConvertToIntention -->
<!-- End the drilldown custom coding -->
</module>
<!-- End Interior HiddenSearch -->
</module>
<!-- End of interior FlashChart -->
</module>
<!-- End Chart Formatter -->
</module>
<!-- End TimeRangePicker -->
</module>
<!-- End Panel 2 -->
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wwhitener
Communicator
01-30-2012
07:33 AM
More information....
I actually got it to work without Sideview Utils and using multiple variables.
- I had a split-by clause in my highest level search. So, I ended up using a mix of click.name, click.value, click.name2 & click.value2.
- In order to capture every variable, I had to nest the ConvertToIntention modules. There's a mightily abbreviated version (in case I forget 😛 ) below.
- I read somewhere that the drilldown freaks a bit when using the stats command in the parent chart, so I ended up changing my query away from that. However, streamstats seems to work just fine, so I don't know.
Now if I could just figure out how to get the chart to hide the child chart and results--to reverse the drilldown......
Cheers!
<!-- Panel 2 has the overall counts -->
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">source=mysource.log | chart count(field1) over field2 by field1</param>
<param name="earliest">-1d</param>
<module name="TimeRangePicker">
<param name="default">Today</param>
<param name="searchWhenChanged">True</param>
<module name="HiddenChartFormatter">
<param name="charting.primaryAxisTitle.text">(Field2) Counts</param>
<param name="charting.secondaryAxisTitle.text">Count of Events</param>
<param name="charting.legend.placement">none</param>
<param name="charting.chart">column</param>
<param name="charting.seriesColors">[0xf055FF, 0xfC0000, 0x0FFF66]</param>
<param name="charting.chart.style">shiny</param>
<param name="charting.legend.masterLegend" />
<param name="charting.legend">legend</param>
<param name="charting.legend.placement">left</param>
<param name="charting.legend.labelStyle.maximumWidth">500</param>
<param name="charting.legend.labelStyle.defaultTextFormat">{italic:true,size:14}</param>
<module name="JobProgressIndicator" />
<!-- This is the totals chart to click on -->
<module name="FlashChart">
<param name="width">75%</param>
<param name="height">250px</param>
<!-- Begin the drill down custom coding -->
<!-- Start Simple results header -->
<!-- For any query, use this to determine your variables and values -->
<!-- Note, click.value, click.value2, click.name, click.name2 -->
<module name="SimpleResultsHeader">
<param name="entityName">events</param>
<!-- Note: Additional $time$, $count$ here -->
<param name="headerFormat">Found $count$ event(s) for field2=$click.value$ and field1=$click.name2$ $time$</param>
</module>
<!-- End Simple Results header -->
<!-- This is an inner chart and search to show statistics on the barchart click -->
<module name="HiddenSearch">
<param name="search">source=mysource.log field2=$value2$ field1=$value1$ | timechart count(field2) as MyCount | streamstats avg(MyCount) as AvgCount, min(MyCount) as MinCount, max(MyCount) as MaxCount </param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="value2">
<param name="value">$click.value$</param>
</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<param name="flags">
<list>indexed</list>
</param>
</param>
<!-- This inner ConvertToIntention takes care of the second $event$ variable -->
<module name="ConvertToIntention">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="value1">
<param name="value">$click.name2$</param>
</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<param name="flags">
<list>indexed</list>
</param>
</param>
<module name="JobProgressIndicator"/>
<!-- The inner chart to display -->
<module name="HiddenChartFormatter">
<param name="charting.primaryAxisTitle.text">Drilldown Counts</param>
<param name="charting.secondaryAxisTitle.text">Count of Events</param>
<param name="charting.legend.placement">left</param>
<param name="charting.seriesColors">[0x0099FF, 0xCC66FF, 0xFF3333, 0x3333FF]</param>
<param name="charting.chart.style">shiny</param>
<param name="charting.chart">line</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">150px</param>
</module>
</module>
<!-- End of inner HiddenChartFormatter -->
<!-- Now to add Results -->
<module name="Paginator">
<param name="entityName">events</param>
<param name="maxPages">10</param>
<module name="EventsViewer">
<param name="segmentation">full</param>
<param name="reportFieldLink">report_builder_format_report</param>
</module>
</module>
<!-- End the Results -->
</module>
<!-- end of second ConvertToIntention -->
</module>
<!-- End of outer ConvertToIntention -->
<!-- End the drilldown custom coding -->
</module>
<!-- End Interior HiddenSearch -->
</module>
<!-- End of interior FlashChart -->
</module>
<!-- End Chart Formatter -->
</module>
<!-- End TimeRangePicker -->
</module>
<!-- End Panel 2 -->
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RicoSuave
Builder
01-30-2012
04:51 AM
Can you please post your advanced xml? And are you using Sideview Utils?
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
