All Apps and Add-ons

Drilldown from timechart to table

fabiob
Explorer

Hello,

I'm trying to create a dynamic view in which I have a search with the results shown in a timechart:

host=... index=... | ... | stats count by userid, _time, rawlog

and then in a PostProcess search:

timechart span=2d count by userid

I'd like to allow the user to click on one of the bars and see the details in a table: if there's a bar for user A on day May 19, I want to show in the table only the events related to user A and May 19. Columns should be: _time, userid, rawlog. This is more or less what is done automatically in "static" panels with timecharts: only events related to a bar are shown when clicking on it.

I tried a few things but I really couldn't have them work. Furthermore the explanations given in similar questions were not clear at all to me: I tested some of the solutions but they didn't work (so I guess I'm doing something totally wrong).

Here's my code snippet:

<module name="TimeRangePicker" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="selected">last 4 hours</param>
    <module name="Search" layoutPanel="panel_row3_col1" group="inline drilldown with JSChart" autoRun="True">
        <param name="search">host=... index=... | bin _time span=15min | `windows_events_lookup` | stats count by userid, _time, rawlog</param>
        <module name="PostProcess" layoutPanel="panel_row4_col1">
            <param name="search">timechart span=2d count by userid</param>
            <module name="FlashChart">
                <module name="Pager">
                    <module name="Table" />
                </module>
            </module>
        </module>
    </module>
</module>

How should I write the Table part?
Thanks for your help!

1 Solution

sideview
SplunkTrust
SplunkTrust

You're on the right track - you have to put either a Search or a PostProcess in between the Chart being clicked on, and the Pager+Table rendering the drilldown search. And the Search module is there to hold and define that drilldown search and how the $click.searchTerms$ key should be used.

Also you had two autoRun="True" attributes in there. I'm afraid you have to be careful about those - never nest anything with autoRun="true" inside anything that already has autoRun="True".

If you wanted to re-use the search results and use PostProcess to filter down to just the given user, you would use the following.

You said you wanted the columns to be _time userId and rawlog, which are the same columns as the base search except for "count", so I use a fields clause to remove the count field.

<module name="TimeRangePicker" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="selected">last 4 hours</param>

    <module name="Search" layoutPanel="panel_row3_col1">
        <param name="search">host=... index=... | bin _time span=15min | `windows_events_lookup` | stats count by userid, _time, rawlog</param>

        <module name="PostProcess" layoutPanel="panel_row4_col1">
            <param name="search">timechart span=2d count by userid</param>

            <module name="FlashChart">
                <module name="PostProcess">
                    <param name="search">search $click.searchTerms$ | fields - count</param>

                    <module name="Pager">
                        <module name="Table" />
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>

and just for reference, if you wanted to re-run the search from scratch, you'd use a Search module and you're right you would use more or less the same search string but with $click.searchTerms$ in it.

<module name="TimeRangePicker" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="selected">last 4 hours</param>

    <module name="Search" layoutPanel="panel_row3_col1">
        <param name="search">host=... index=... | bin _time span=15min | `windows_events_lookup` | stats count by userid, _time, rawlog</param>

        <module name="PostProcess" layoutPanel="panel_row4_col1">
            <param name="search">timechart span=2d count by userid</param>

            <module name="FlashChart">
                <module name="PostProcess">
                    <param name="search">$click.searchTerms$ host=... index=... | bin _time span=15min | `windows_events_lookup` | stats count by userid, _time, rawlog</param>

                    <module name="Pager">
                        <module name="Table" />
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>

The best docs to understand postprocess are in the "introduction to postprocess" page in Sideview Utils. The Table drilldowns dont go into the nuances of postprocess searches I'm afraid, so you have to extrapolate based on what you read in postprocess examples and table drilldown examples.

View solution in original post

sideview
SplunkTrust
SplunkTrust

You're on the right track - you have to put either a Search or a PostProcess in between the Chart being clicked on, and the Pager+Table rendering the drilldown search. And the Search module is there to hold and define that drilldown search and how the $click.searchTerms$ key should be used.

Also you had two autoRun="True" attributes in there. I'm afraid you have to be careful about those - never nest anything with autoRun="true" inside anything that already has autoRun="True".

If you wanted to re-use the search results and use PostProcess to filter down to just the given user, you would use the following.

You said you wanted the columns to be _time userId and rawlog, which are the same columns as the base search except for "count", so I use a fields clause to remove the count field.

<module name="TimeRangePicker" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="selected">last 4 hours</param>

    <module name="Search" layoutPanel="panel_row3_col1">
        <param name="search">host=... index=... | bin _time span=15min | `windows_events_lookup` | stats count by userid, _time, rawlog</param>

        <module name="PostProcess" layoutPanel="panel_row4_col1">
            <param name="search">timechart span=2d count by userid</param>

            <module name="FlashChart">
                <module name="PostProcess">
                    <param name="search">search $click.searchTerms$ | fields - count</param>

                    <module name="Pager">
                        <module name="Table" />
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>

and just for reference, if you wanted to re-run the search from scratch, you'd use a Search module and you're right you would use more or less the same search string but with $click.searchTerms$ in it.

<module name="TimeRangePicker" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="selected">last 4 hours</param>

    <module name="Search" layoutPanel="panel_row3_col1">
        <param name="search">host=... index=... | bin _time span=15min | `windows_events_lookup` | stats count by userid, _time, rawlog</param>

        <module name="PostProcess" layoutPanel="panel_row4_col1">
            <param name="search">timechart span=2d count by userid</param>

            <module name="FlashChart">
                <module name="PostProcess">
                    <param name="search">$click.searchTerms$ host=... index=... | bin _time span=15min | `windows_events_lookup` | stats count by userid, _time, rawlog</param>

                    <module name="Pager">
                        <module name="Table" />
                    </module>
                </module>
            </module>
        </module>
    </module>
</module>

The best docs to understand postprocess are in the "introduction to postprocess" page in Sideview Utils. The Table drilldowns dont go into the nuances of postprocess searches I'm afraid, so you have to extrapolate based on what you read in postprocess examples and table drilldown examples.

sideview
SplunkTrust
SplunkTrust

Does my example work for you now? Time drilldowns are unintuitive, in that the args are not actually carried by $click.searchTerms$. Instead the charting and table modules conspire on a lower level, with some involvement from the search language even, to set the correct timerange. For instance when you click a FlashChart that has rendered a timechart command, it actually uses the _time and the _span values from the search results to determine the time args downstream...

0 Karma

fabiob
Explorer

Thanks for the awesome answer!
I had some problems testing them (but I couldn't understand what I was doing wrong) and it seemed the time drilldown only worked within a Search module. Does it make sense?

0 Karma

fabiob
Explorer

The workaround I found for now is wrapping the "Pager" element with a Search (and not with a PostProcess) that is exactly the same as the main one, but with the $click.searchTerms$ element (which allows to drilldown by userid and time). I'm afraid my dashboard is getting quite heavy though...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...