Splunk Search

Problem with drilldown and OUTPUT

greasypragma
New Member

I need some help with getting this simple drilldown to pass the dboperationcode to my <link>. Currently my search is only giving me the OUTPUT value as the click.value for the drilldown search. I want to pass the dboperationcode in my drilldown but I only get the description.

I've tried setting tokens using the <set> and also using the <condition field="dboperationcode"> but nothing I've tried seems to override what is coming from the OUTPUT in my lookup.

<search>
        <query>
                 index="myindex" host=$host$ | top limit=5 dboperationcode 
                  | lookup sqlcursorlkp lkpcode as dboperationcode  OUTPUT  description 
                  | fillnull value=Unknown | eval hcreason=count." : ".hcreason          
                  | table description, count, percent, dboperationcode
      </query>
</search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
        <drilldown target="_blank">
          <link>
            <![CDATA[failed_operation?dboperationcode=$click.value$host=$host$&earliest=$earliest$&latest=$latest$]]>
          </link>
        </drilldown>
0 Karma

diogofgm
SplunkTrust
SplunkTrust

Try this:

<link>
  <![CDATA[/app/[name of the app where the view is]/sql_statement_failed?dboperationcode=$row.dboperationcode$&host=$host$&earliest=$earliest$&latest=$latest$]]>
 </link>
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

diogofgm
SplunkTrust
SplunkTrust

Look at dynamic drill down in docs

http://docs.splunk.com/Documentation/Splunk/6.2.3/Viz/Understandbasictableandchartdrilldownactions

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Use $row.dboperationcode$. Also, there seems to be an ampersand missing before host= in your link tag.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Viz/PanelreferenceforSimplifiedXML#table_.28event_...

You're getting the description now because with drilldown=all the $click.value$ token always refers to the first column.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Yeah, pies are very restricted in their behaviour.

0 Karma

greasypragma
New Member

Thanks, I tried that and I'm not getting anything from it.

<link>
 <![CDATA[failed_operation?dboperationcode=$row.dboperationcode$&host=$host$&earliest=$earliest$&latest=$latest$]]>
 </link>

turnsout ampersand wasn't a problem in my dashboard code just where I posted the question. Here is the link I'm trying to render the token values into...

<link>
<![CDATA[sql_statement_failed?dboperationcode=$row.dboperationcode$&host=$host$&earliest=$earliest$&latest=$latest$]]>
</link>

I also need to add that the chart is a pie chart. But to render out the labels the way I wanted I had to pipe in | table columns... so I'm not actually clicking on a table value but on a portion of a pie chart.

the $row.dboperationcode$ token isn't populating... I'm just getting the row.dboperationcode token name in the url....

is it because I'm using the table command in my search along with a pie chart type?

0 Karma

greasypragma
New Member

I think I know what my problem is. Pie charts are one dimensional and using the row. won't work because it's final render is a one dimensional pie chart vs a table, etc... I converted the pie to a bar chart and it works.

I wish I could use the pie chart though. It looks much better and makes more sense for this one value... It's just the lookup that is causing the problem making the output something I can't turn around and search on with the drill down.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...