Dashboards & Visualizations

SimpleResultsTable Drilldown - Use single value

ftk
Motivator

I have a SimpleResultsTable displaying the following data:

Count   Source IP   Source Country  Host
787 1.1.1.1     USA     host1
678 1.1.1.2     China       host1
123 1.1.1.9     Brazil      host2

When clicking on a result in the chart I want the drilldown search to filter on Source IP, but I can't get it to do just that. Here is what I have tried:

  1. Using drilldown=row, the drilldown search filters on Count. Tried moving it over to Source IP but couldn't get it to.
  2. Using drilldown=all clicking any value adds Count as well as that value. No good.
  3. Using the ConvertToIntention example from the docs and drilldown=row it still passes Count down to the drilldown search.
  4. Using the ConvertToIntention example from the docs and drilldown=all, and then trying to only pass the $click.value2$ into the search, it still adds value1 (again, Count).

Is there any way to only pass click.value2 or another way to pass Source IP instead of Count?

Thanks!

1 Solution

sideview
SplunkTrust
SplunkTrust

Table drilldown will always use the first value, and changing it from 'row' to 'cell' just makes it potentially also use that column+cell pair in addition to using the first key+value pair.

I know in cases like this its feels a little limiting, but the solution is to simply re-order the fields in the table such that the field you want to drill in on is the first field. The fields clause can do this for you.

<your search> | fields | "Source IP" Count "Source Country" Host

NOTE: assuming you're using the rename command to get those nice field names, you should put the rename command after the reporting commands, not before.

If you dont, your drilldown searches will work but they'll be a lot less efficient, pulling a lot more off disk to get the same thing done:

foo | rename clientip as "Source IP" | search "Source IP" = 216.248.53.142

But drilldown is smart enough to deal with rename commands that come after the reporting commands. (Note this is NOT true of many other commands like eval)

Thus drilling into a row in

foo | stats count by clientip | rename clientip as "Source IP"

after a click on a row, the resulting search is

foo clientip=216.248.53.142

(although admittedly it wont preserve your nice rename...)

another minor note: fields with spaces work great in the search language but they can cause some problems when the resulting search is loaded in flashtimeline. In particular those fields wont be handled correctly by the modules in the blue sidebar (FieldPicker etc)

View solution in original post

ftk
Motivator

I have added the XML I am using to display this chart on pastebin: http://splunk.pastebin.com/zYepR7Hb

The XML in this example left off at step 4 of my original question.

0 Karma

sideview
SplunkTrust
SplunkTrust

Table drilldown will always use the first value, and changing it from 'row' to 'cell' just makes it potentially also use that column+cell pair in addition to using the first key+value pair.

I know in cases like this its feels a little limiting, but the solution is to simply re-order the fields in the table such that the field you want to drill in on is the first field. The fields clause can do this for you.

<your search> | fields | "Source IP" Count "Source Country" Host

NOTE: assuming you're using the rename command to get those nice field names, you should put the rename command after the reporting commands, not before.

If you dont, your drilldown searches will work but they'll be a lot less efficient, pulling a lot more off disk to get the same thing done:

foo | rename clientip as "Source IP" | search "Source IP" = 216.248.53.142

But drilldown is smart enough to deal with rename commands that come after the reporting commands. (Note this is NOT true of many other commands like eval)

Thus drilling into a row in

foo | stats count by clientip | rename clientip as "Source IP"

after a click on a row, the resulting search is

foo clientip=216.248.53.142

(although admittedly it wont preserve your nice rename...)

another minor note: fields with spaces work great in the search language but they can cause some problems when the resulting search is loaded in flashtimeline. In particular those fields wont be handled correctly by the modules in the blue sidebar (FieldPicker etc)

sideview
SplunkTrust
SplunkTrust

Hey Felix. Although this still isnt addressed in the core product, I did fix it in the sideview_utils stuff. So if you switch to using sideview_utils techniques, you can have $click.fields.someFieldName$

0 Karma

sideview
SplunkTrust
SplunkTrust

Cool. Yes I think we'll make this better in the next release. There's an ERD for the next big release (which will most likely be known to the world as 4.2) specifying 7 known problems in table/chart drilldown that could be solved, and #1 is "current 'first column' heuristic fails in key cases.".

0 Karma

ftk
Motivator

Thanks nick, reordering the fields worked. I just would have preferred to have count displayed first, but I can deal with it. Is picking a specific field on the feature list for a future release?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...