Splunk Search

How to set a different drilldown for each cell in a table in my Simple XML dashboard?

sidekix24
Path Finder

Does anyone know of a way or have a good link on how to set a different drilldown for each cell in a table? I'm using a Simple XML dashboard and I'm able to make a whole column to go to one page, but I wanted to see if I could do the same but by cell. Is that possible?

Thanks

1 Solution

sundareshr
Legend

Try this runanywhere sample. This should give you some ideas

<dashboard>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <table>
        <title>$x$</title>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">preview</option>
        <drilldown target="NewWindow">
          <condition match="match('click.value', &quot;splunk&quot;)">
            <link>http://www.splunk.com</link>
          </condition>
          <condition match="match('click.value', &quot;mongo&quot;)">
            <link>https://www.mongodb.com/presentations/splunks-hunk-powerful-way-visualize-your-data-stored-mongodb</link>
          </condition>
          <condition field="*">
            <set token="x">did not match</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Custom_logic_for_dashboards

View solution in original post

sundareshr
Legend

Try this runanywhere sample. This should give you some ideas

<dashboard>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <table>
        <title>$x$</title>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">preview</option>
        <drilldown target="NewWindow">
          <condition match="match('click.value', &quot;splunk&quot;)">
            <link>http://www.splunk.com</link>
          </condition>
          <condition match="match('click.value', &quot;mongo&quot;)">
            <link>https://www.mongodb.com/presentations/splunks-hunk-powerful-way-visualize-your-data-stored-mongodb</link>
          </condition>
          <condition field="*">
            <set token="x">did not match</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Custom_logic_for_dashboards

reschal
Explorer

I have an additional question:

Everything works fine but i have one problem:

In my case there is for example one field called splunk and one field called splunk_two.

By typing this condition:
condition match="match('click.value', "splunk")"

there is no way to get to the link of splunk_two because there is the expression "splunk" in it.

Is there any option to strictly define the click.values?

Thanks for your help!

0 Karma

ww9rivers
Communicator

This is just a guess at this point, but I believe it works.

According to the Dashboards and Visualizations doc, the "match('click.value', "splunk")" is an eval expression. So the second parameter to the match() function ("splunk" in your example) is a regex.

So to match "splunk" exactly and not match "splunk_two", you may use the expression match('click.value', '^splunk$') -- which matches the word "splunk" with nothing before or after it.

reschal
Explorer

This works well. Thank you 🙂

0 Karma

sidekix24
Path Finder

Thanks sundareshr,

I'm trying to figure this out. What condition directs you to the mongodb site in the sample above? I just keep going to the splunk site when I click on the table

Thanks again

0 Karma

vino06
New Member

Hi,

How can I make a drill down that has the same Field name but different Value.

Example, I have a field it's name is System and two values which are McLaren and IRIS SOLO. If I click the McLaren it will open the McLaren dashboard then for the IRIS SOLO it will open the IRIS SOLO dashboard. But in my XML I'm having trouble doing it. Here is my code, hope you can help me to figure this out.

      <condition field="System">
        <link target="McLaren">https://soic-itsi:8000/en-US/app/splunk_app_windows_infrastructure/mclaren_availability?form=$row.McLaren$</link>
      </condition>

      <condition field="System">
        <link target="IRIS SOLO">https://soic-itsi:8000/en-US/app/splunk_app_windows_infrastructure/iris_solo_monitoring?form=$row.IRIS SOLO$</link>
      </condition>
    </drilldown>
0 Karma

sundareshr
Legend

Sourcetype mongod should take you to mongodb site

0 Karma

sidekix24
Path Finder

got it..ok, that makes sense for specific values but I'm trying to figure out how to assign a specific link to each cell.

Any ideas on that?

0 Karma

sundareshr
Legend

If you share your URLs there may be better dynamically build your URL, but for now, you can try this

        <drilldown>
          <set token="m">$click.value$#$click.name2$</set>
          <eval token="click">case($m$="mongod#count", "splunk.com", $m$="splunkd#count", "google.com", 1=1, "UNK")</eval>
          <link target="_blank">http://$click$</link>
        </drilldown>
0 Karma

sidekix24
Path Finder

Thanks sundareshr,

I'm trying to redirect to different app/dashboards

like clicking on mongod takes you to: /app/Test/reports

Clicking on count in mongod row takes you to :/app/Test/searches

Scheduler takes you to: /app/Test/

Count in Scheduler row takes you to : /app/Test/reports

0 Karma

sidekix24
Path Finder

I think I may have it solved by combining the 2 solutions that you gave me. I'm going to try it out tonight/tomorrow to see if it fits what I'm trying to do.

Feel free to send any other suggestions though but I'll let you know if the combo solution works out in the end 🙂

Thanks again!!!

0 Karma

sundareshr
Legend

Since all of them redirect to /app/test you should keep that static in the link tag. Having said that, a different approach would be to keep one dashboard and change the data in the dashboard by passing in values user clicks on your table. That way, you only have to maintain one dashboard. Its easy for me to say 🙂

0 Karma

sidekix24
Path Finder

That's a great idea....but you know I have to ask, do you know how to pass a token from one dashboard to another?

🙂

0 Karma

sundareshr
Legend

In the querystring. take a look at this documentation

http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/PanelreferenceforSimplifiedXML#Drilldown_eleme...

<table>
<search>index=_internal</search>

<!-- Pass the clicked row's 'count'-column value    -->
<!-- to populate a destination form's 'foo' token. -->
<drilldown>
  <link>
  /app/search/simple_xml_form?form.foo=$row.count$
  </link>
</drilldown>
</table>
0 Karma

sidekix24
Path Finder

I just need them to go to a prebuilt dashboard when they click so a sample would be:

if you click on the count value in the mongod row you go to: /app/Test/table_cell_highlighting_test

If you click on mongod cell you go to:
/app/Test/alerts

If you click on scheduler cell you go to:
/app/Test/reports

if you click on the count value in the scheduler row you go to:

/app/Test/search

0 Karma

sidekix24
Path Finder

Thanks again for all the assistance

0 Karma

sundareshr
Legend

There's some good documentation on the Splunk website on drilldown from dashboards. You can start here for your specific need.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Predefined_tokens_for_dynamic_drilldown

If you share your current dashboard and specific questions, someone in the community will help

0 Karma

sidekix24
Path Finder

alt text

I'd like to be able to configure each cell under availability, performance, Host Health and Host Health 2 to take me to a different page when I click on it.

So if I click on top cell under Availability, I can get taken to a dashboard for Availability for sourcetype mongod and so on.

Thanks

0 Karma

nfilippi_splunk
Splunk Employee
Splunk Employee

Thanks for taking the time to walk through your use case here. In the example that you describe, are you looking to be taken to a dashboard for Availability, and pass in the argument of sourcetype=mongod to populate a form input?

Or do you have a dedicated dashboard for "Availability of Mongod"?

0 Karma

sidekix24
Path Finder

dedicated dashboard for each cell.

Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...