All Apps and Add-ons

Sideview Utils: Drilldown by Column?

_gkollias
SplunkTrust
SplunkTrust

I'm adding Sideview Utils modules in order to do some URL passing, and I'd like to figure out a way to possibly drill down by column rather than row...is this possible?

At the end of my search I use ...| timechart span=1h count by foo | - where I would like to see a chart of the data below its corresponding area graph.

I'd like to be able to click on "count" below a particular header, rather than clicking on a row.
The timechart has different order types, and the count by hour below.

Here is a sample of the XML I'm using:

<module name="SimpleResultsTable">
            <param name="count">10</param> 
            <param name="entityName">results</param>
            <param name="drilldown">row</param> 

     <module name="Redirector">
        <param name="url">cg_diversity_invoice_detail</param>   
                   <param name="arg.parameter_1">$click.fields.count$</param>
       </module>
          </module>
    </module>
</module>    <!-- End URLLoader -->
</module>
</view>

Is there anyway to do this, or will I need to edit/redo the timechart to something else where row would make sense?

Your help would be much appreciated.

Thank You

1 Solution

_gkollias
SplunkTrust
SplunkTrust

Cool, thank you for the feedback. Pick-a-cell mode would be fantastic. I actually modified my search from using timechart to stats so users can select the orderTypes easier. It looks like:


<![CDATA[

index=contract_gateway earliest=-4h@h sourcetype=esb_audit esb_top_level=1 status="SUCCESS" NOT bp_bp_name="Task"
svc_context_name="x.
" OR
svc_context_name="y" OR
svc_context_name="z"
| addinfo
| eval current_hour = strftime(info_search_time,"%H")
| eval marker = case(date_hour=current_hour,"this",date_hour=(current_hour-1),"one",date_hour=(current_hour-2),"two",date_hour=(current_hour-3),"three")
| stats
count(eval(marker="this")) AS PO_Count_This_Hour,
count(eval(marker="one")) AS PO_Count_Last_Hour,

count(eval(marker="two")) AS PO_Count_2_Hours_Ago,

count(eval(marker="three")) AS PO_Count_3_Hours_Ago,

by svc_context_name
| fillnull PO_Count_This_Hour, PO_Count_Last_Hour, PO_Count_2_Hours_Ago, PO_Count_3_Hours_Ago
| sort svc_context_name ]]>

                </param>

         <module name="SimpleResultsTable">
        <param name="count">10</param> 
        <param name="entityName">results</param>
        <param name="drilldown">row</param> 
        <module name="Redirector">
              <param name="url">cg_diversity_channel_detail</param>                 <!-- View name or other URL here -->
              <param name="arg.svc_context_name">$click.fields.svc_context_name$</param>

Thanks again!

View solution in original post

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Cool, thank you for the feedback. Pick-a-cell mode would be fantastic. I actually modified my search from using timechart to stats so users can select the orderTypes easier. It looks like:


<![CDATA[

index=contract_gateway earliest=-4h@h sourcetype=esb_audit esb_top_level=1 status="SUCCESS" NOT bp_bp_name="Task"
svc_context_name="x.
" OR
svc_context_name="y" OR
svc_context_name="z"
| addinfo
| eval current_hour = strftime(info_search_time,"%H")
| eval marker = case(date_hour=current_hour,"this",date_hour=(current_hour-1),"one",date_hour=(current_hour-2),"two",date_hour=(current_hour-3),"three")
| stats
count(eval(marker="this")) AS PO_Count_This_Hour,
count(eval(marker="one")) AS PO_Count_Last_Hour,

count(eval(marker="two")) AS PO_Count_2_Hours_Ago,

count(eval(marker="three")) AS PO_Count_3_Hours_Ago,

by svc_context_name
| fillnull PO_Count_This_Hour, PO_Count_Last_Hour, PO_Count_2_Hours_Ago, PO_Count_3_Hours_Ago
| sort svc_context_name ]]>

                </param>

         <module name="SimpleResultsTable">
        <param name="count">10</param> 
        <param name="entityName">results</param>
        <param name="drilldown">row</param> 
        <module name="Redirector">
              <param name="url">cg_diversity_channel_detail</param>                 <!-- View name or other URL here -->
              <param name="arg.svc_context_name">$click.fields.svc_context_name$</param>

Thanks again!

0 Karma

sideview
SplunkTrust
SplunkTrust

The one useful thing that Splunk's SimpleResultsTable module has that the Sideview Table module does not, is the ability to do highlighting and selection on individual cells. You were already using SimpleResultsTable so you were almost there - the missing piece is to set "drilldown" to "all" instead of "row".

<module name="SimpleResultsTable">
  <param name="count">10</param> 
  <param name="entityName">results</param>
  <param name="drilldown">all</param>

  <module name="Redirector">
    <param name="url">cg_diversity_invoice_detail</param>   
    <param name="arg.parameter_1">$click.name2$</param>
  </module>
</module>

And the other change is to use the legacy $click.name2$ token instead of the Sideview token $click.fields.fieldName$.

I thought that customer feedback would demand the pick-a-cell mode in the top list of requested features for Table, but actually few people have ever asked for it. Nonetheless it's on the list and I'll get to it someday. In the meantime use SimpleResultsTable with your Redirector.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...