All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best approach to have an XML dashboard timechart drilldown convert the macro to raw search and have drilldown chart click value still be implemented?

ho000dor
Explorer
‎10-28-2014 06:57 AM

Hello,

Problem #1 viewredirectorlink
ViewRedirectorLink only shows up when i click on something in the chart

Problem #2: onclick
What's the best approach to have the drilldown convert the macro to raw search and have the drilldown chart click value still be implemented - 'Time' and 'Field' drill-down Content would would be ideal.

The current set up below does convert the macro to raw search. However, if a user clicks on the bar in the chart, it redirects with the count value. This is not helpful and often times yields 0 results if the count has increased.

<module name="HiddenSavedSearch" layoutPanel="panel_row3_col1" group="test1" autoRun="True">
  <param name="useHistory">auto</param>
  <param name="savedSearch">savedSEARCHwithMACRO1</param>
  <module name="HiddenChartFormatter">
    <param name="charting.legend">legend</param>
    <param name="charting.legend.labelStyle.maximumWidth">500</param>
    <param name="charting.legend.labelStyle.minimumWidth">500</param>
    <param name="charting.chart.stackMode">stacked</param>
    <param name="charting.legend.placement">right</param>
    <param name="charting.chart">column</param>
    <param name="charting.legend.labelStyle.defaultTextFormat">{font:Arial,size:09}</param>
    <param name="charting.fieldColors">{"NothingToReport":0x00FF00}</param>
    <module name="JobProgressIndicator"/>

    <module name="FlashChart">
      <param name="height">250px</param>
      <module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
        <param name="search"><![CDATA[`MACRO1`]]></param>
        <param name="earliest">-2h</param>
        <module name="ConvertToDrilldownSearch">
          <module name="ViewRedirectorLink">
            <param name="popup">True</param>
            <param name="viewTarget">flashtimeline</param>
            <param name="label">All Results</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

I have also used the sideview html modules but i'm not sure how or if it could convert the macro to raw search.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎11-19-2014 09:08 PM

The XML you posted is using core-splunk-only modules. The reason I think is that the old Splunk "intentions" system has a side-effect of expanding all macros. While this is usually an unwanted side effect in your case you need this behavior.

Speaking just to this pure-splunk-module solution, I would try removing that second HiddenSearch module: 

<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
  <param name="search"><![CDATA[`MACRO1`]]></param>
  <param name="earliest">-2h</param>

Or at least remove its "search" param. Also remove the autoRun="True" because if it's having any effect, that attribute will be creating nasty bugs.

Basically, the old ConvertToDrilldownSearch module should be able to incorporate the chart drilldown tokens from the click just fine, and it should do it all without the need for a second HiddenSearch module. Removing that Search module might be all you need to fix this.

In Sideview Utils of course you would use SavedSearch instead of HiddenSavedSearch, Search instead of HiddenSearch and Redirector and Link and so and so forth. However, nothing in Sideview Utils has that side effect of expanding macros, and previously I've written customBehavior to do the expansion when necessary.

I could fairly easily add a $foo$ token to Sideview utils though. To expand all the macros ultimately you need to take the job's eventSearch property and tack on the commands from the reportSearch property, if there are any. There is already a $results.eventSearch$ token so this should be fairly easy to add and then people can use it in complex drilldown cases like this.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎12-01-2014 04:11 PM

Note - in Sideview Utils 3.3.1, released Dec 1 2014, there is now a $results.expandedSearch$ token that you can use in Sideview modules, and that will reflect the current search string with macros expanded. The "overview of custom $foo$ tokens" page in the Sideview docs will tell you how to use it safely.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...