How to prevent data model search string from being...

MatMeredith · ‎09-01-2014

I have a dashboard that contains a number of pivot based charts. E.g.

| pivot analytics my_events count(my_events) AS "Count of events" SPLITROW my_dimension FILTER filter_att is "$filter_val$" SORT 100 my_dimension ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

When I click on e.g. pie charts driven by such queries I get taken to the search view and the right events are shown. However, the search string shown is horrendously complex as it expands the full data model and evaluates every attribute. Is there some way I can avoid this?

Thanks!

schatzb · ‎09-03-2014

This probably isn't the most elegant solution so others feel free to chime in.

I would nest an outputlookup into each panel's inline search, and then point your drilldown to a search that uses inputlookup.

Edit your in line searches to include the "outputlookup test5.csv"

| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv

add this to each panel with different csv's for each so you can have multiple drilldown views.

Then edit the XML for each panel to include a direct link to the search

        <drilldown>
            <link target="_blank">
                 /app/search/search?q=%7Cinputlookup%20test5.csv
            </link>
        </drilldown>

Here is the full XML for a test dashboard I made

<dashboard>
  <label>test5</label>
  <row>
    <panel>
      <table>
        <title>test</title>
        <searchString>| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv</searchString>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">all</option>
            <drilldown>
                <link target="_blank">
                     /app/search/search?q=%7Cinputlookup%20test5.csv
                </link>
            </drilldown>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>

It's a little round about but it works pretty well for my applications.
I like enabling the drilldowns but don't want folks mucking around with my searches or in other data.

References:

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/outputlookup
http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/Understandbasictableandchartdrilldownactions
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/outputlookup

schatzb · ‎09-03-2014

It just dawned on me that this could be pretty problematic if you have multiple users on the same dashboard at the same time.

As long as diskspace isn't an issue for your you could parameterize the csv names to ensure that there are no overlaps.

| search name=$slicer1$ | table field1,field2 | outputlookup test-$user$-$host$-$variable1$-$slicer1$.csv | search field1>0

as long as your parameters don't have illegal characters that should help.

schatzb · ‎09-03-2014

You can even move the outputlookup further up the search so as to include some search filters on the drilldown if you wish. This will provide some editable options for your users.

| search name=$slicer1$ | table field1,field2 | outputlookup test5.csv | search field1>0

/app/search/search?q=%7Cinputlookup%20test5.csv%20%7C%20search%20field1>0

MatMeredith · ‎09-03-2014

Yes, that's exactly it. The search is displaying the right information, but at the moment the search string is about 30 rows long, whereas it only needs to be about 2 lines long. A a result it's too complex for users to easily see what the search is actually showing.

schatzb · ‎09-03-2014

To clarify: Are you looking to still show the relevant events but just to clean up how the search string is displayed?

How to prevent data model search string from being shown after clicking on pivot based pie chart?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes