I have a SimpleResultsTable displaying the following data:
Count Source IP Source Country Host
787 1.1.1.1 USA host1
678 1.1.1.2 China host1
123 1.1.1.9 Brazil host2
When clicking on a result in the chart I want the drilldown search to filter on Source IP, but I can't get it to do just that. Here is what I have tried:
Is there any way to only pass click.value2 or another way to pass Source IP instead of Count?
Thanks!
Table drilldown will always use the first value, and changing it from 'row' to 'cell' just makes it potentially also use that column+cell pair in addition to using the first key+value pair.
I know in cases like this its feels a little limiting, but the solution is to simply re-order the fields in the table such that the field you want to drill in on is the first field. The fields clause can do this for you.
<your search> | fields | "Source IP" Count "Source Country" Host
NOTE: assuming you're using the rename command to get those nice field names, you should put the rename command after the reporting commands, not before.
If you dont, your drilldown searches will work but they'll be a lot less efficient, pulling a lot more off disk to get the same thing done:
foo | rename clientip as "Source IP" | search "Source IP" = 216.248.53.142
But drilldown is smart enough to deal with rename commands that come after the reporting commands. (Note this is NOT true of many other commands like eval)
Thus drilling into a row in
foo | stats count by clientip | rename clientip as "Source IP"
after a click on a row, the resulting search is
foo clientip=216.248.53.142
(although admittedly it wont preserve your nice rename...)
another minor note: fields with spaces work great in the search language but they can cause some problems when the resulting search is loaded in flashtimeline. In particular those fields wont be handled correctly by the modules in the blue sidebar (FieldPicker etc)
I have added the XML I am using to display this chart on pastebin: http://splunk.pastebin.com/zYepR7Hb
The XML in this example left off at step 4 of my original question.
Table drilldown will always use the first value, and changing it from 'row' to 'cell' just makes it potentially also use that column+cell pair in addition to using the first key+value pair.
I know in cases like this its feels a little limiting, but the solution is to simply re-order the fields in the table such that the field you want to drill in on is the first field. The fields clause can do this for you.
<your search> | fields | "Source IP" Count "Source Country" Host
NOTE: assuming you're using the rename command to get those nice field names, you should put the rename command after the reporting commands, not before.
If you dont, your drilldown searches will work but they'll be a lot less efficient, pulling a lot more off disk to get the same thing done:
foo | rename clientip as "Source IP" | search "Source IP" = 216.248.53.142
But drilldown is smart enough to deal with rename commands that come after the reporting commands. (Note this is NOT true of many other commands like eval)
Thus drilling into a row in
foo | stats count by clientip | rename clientip as "Source IP"
after a click on a row, the resulting search is
foo clientip=216.248.53.142
(although admittedly it wont preserve your nice rename...)
another minor note: fields with spaces work great in the search language but they can cause some problems when the resulting search is loaded in flashtimeline. In particular those fields wont be handled correctly by the modules in the blue sidebar (FieldPicker etc)
Hey Felix. Although this still isnt addressed in the core product, I did fix it in the sideview_utils stuff. So if you switch to using sideview_utils techniques, you can have $click.fields.someFieldName$
Cool. Yes I think we'll make this better in the next release. There's an ERD for the next big release (which will most likely be known to the world as 4.2) specifying 7 known problems in table/chart drilldown that could be solved, and #1 is "current 'first column' heuristic fails in key cases.".
Thanks nick, reordering the fields worked. I just would have preferred to have count displayed first, but I can deal with it. Is picking a specific field on the feature list for a future release?