All Apps and Add-ons

What is the best approach to have an XML dashboard timechart drilldown convert the macro to raw search and have drilldown chart click value still be implemented?

ho000dor
Explorer

Hello,

Problem #1 viewredirectorlink
ViewRedirectorLink only shows up when i click on something in the chart

Problem #2: onclick
What's the best approach to have the drilldown convert the macro to raw search and have the drilldown chart click value still be implemented - 'Time' and 'Field' drill-down Content would would be ideal.

The current set up below does convert the macro to raw search. However, if a user clicks on the bar in the chart, it redirects with the count value. This is not helpful and often times yields 0 results if the count has increased.

<module name="HiddenSavedSearch" layoutPanel="panel_row3_col1" group="test1" autoRun="True">
  <param name="useHistory">auto</param>
  <param name="savedSearch">savedSEARCHwithMACRO1</param>
  <module name="HiddenChartFormatter">
    <param name="charting.legend">legend</param>
    <param name="charting.legend.labelStyle.maximumWidth">500</param>
    <param name="charting.legend.labelStyle.minimumWidth">500</param>
    <param name="charting.chart.stackMode">stacked</param>
    <param name="charting.legend.placement">right</param>
    <param name="charting.chart">column</param>
    <param name="charting.legend.labelStyle.defaultTextFormat">{font:Arial,size:09}</param>
    <param name="charting.fieldColors">{"NothingToReport":0x00FF00}</param>
    <module name="JobProgressIndicator"/>

    <module name="FlashChart">
      <param name="height">250px</param>
      <module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
        <param name="search"><![CDATA[`MACRO1`]]></param>
        <param name="earliest">-2h</param>
        <module name="ConvertToDrilldownSearch">
          <module name="ViewRedirectorLink">
            <param name="popup">True</param>
            <param name="viewTarget">flashtimeline</param>
            <param name="label">All Results</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

I have also used the sideview html modules but i'm not sure how or if it could convert the macro to raw search.

0 Karma

sideview
SplunkTrust
SplunkTrust

The XML you posted is using core-splunk-only modules. The reason I think is that the old Splunk "intentions" system has a side-effect of expanding all macros. While this is usually an unwanted side effect in your case you need this behavior.

Speaking just to this pure-splunk-module solution, I would try removing that second HiddenSearch module:

<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="True">
  <param name="search"><![CDATA[`MACRO1`]]></param>
  <param name="earliest">-2h</param>

Or at least remove its "search" param. Also remove the autoRun="True" because if it's having any effect, that attribute will be creating nasty bugs.

Basically, the old ConvertToDrilldownSearch module should be able to incorporate the chart drilldown tokens from the click just fine, and it should do it all without the need for a second HiddenSearch module. Removing that Search module might be all you need to fix this.

In Sideview Utils of course you would use SavedSearch instead of HiddenSavedSearch, Search instead of HiddenSearch and Redirector and Link and so and so forth. However, nothing in Sideview Utils has that side effect of expanding macros, and previously I've written customBehavior to do the expansion when necessary.

I could fairly easily add a $foo$ token to Sideview utils though. To expand all the macros ultimately you need to take the job's eventSearch property and tack on the commands from the reportSearch property, if there are any. There is already a $results.eventSearch$ token so this should be fairly easy to add and then people can use it in complex drilldown cases like this.

0 Karma

sideview
SplunkTrust
SplunkTrust

Note - in Sideview Utils 3.3.1, released Dec 1 2014, there is now a $results.expandedSearch$ token that you can use in Sideview modules, and that will reflect the current search string with macros expanded. The "overview of custom $foo$ tokens" page in the Sideview docs will tell you how to use it safely.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...