Splunk Search

Drilldown chart needs a different query

wwhitener
Communicator

Greetings,

I am doing the Advanced XML and I have a bar chart showing the results of a summary query--the count of values over a time period. I want to click on a bar and have a second graph appear showing how the value compares to the results over time--the minimum value so far, the maximum value so far, the average, etc. When I try to put in the second graph, I can hardcode in the values and it works fine. When I try to use the click.name ($click.name$) or ($click.value$), the query fails.

Has anyone else seen this?

1 Solution

wwhitener
Communicator

More information....

I actually got it to work without Sideview Utils and using multiple variables.

  • I had a split-by clause in my highest level search. So, I ended up using a mix of click.name, click.value, click.name2 & click.value2.
  • In order to capture every variable, I had to nest the ConvertToIntention modules. There's a mightily abbreviated version (in case I forget 😛 ) below.
  • I read somewhere that the drilldown freaks a bit when using the stats command in the parent chart, so I ended up changing my query away from that. However, streamstats seems to work just fine, so I don't know.

Now if I could just figure out how to get the chart to hide the child chart and results--to reverse the drilldown......

Cheers!

<!-- Panel 2 has the overall counts -->
<module name="HiddenSearch" layoutPanel="panel_row2_col1"  autoRun="True">
    <param name="search">source=mysource.log | chart count(field1) over field2 by field1</param>
    <param name="earliest">-1d</param>
    <module name="TimeRangePicker">
      <param name="default">Today</param>
      <param name="searchWhenChanged">True</param>

    <module name="HiddenChartFormatter">
        <param name="charting.primaryAxisTitle.text">(Field2) Counts</param>
        <param name="charting.secondaryAxisTitle.text">Count of Events</param>
        <param name="charting.legend.placement">none</param>
        <param name="charting.chart">column</param>
        <param name="charting.seriesColors">[0xf055FF, 0xfC0000, 0x0FFF66]</param>
        <param name="charting.chart.style">shiny</param>
        <param name="charting.legend.masterLegend" />
        <param name="charting.legend">legend</param>
        <param name="charting.legend.placement">left</param>
        <param name="charting.legend.labelStyle.maximumWidth">500</param>
        <param name="charting.legend.labelStyle.defaultTextFormat">{italic:true,size:14}</param>
        <module name="JobProgressIndicator" />

        <!-- This is the totals chart to click on -->
        <module name="FlashChart">
            <param name="width">75%</param>
            <param name="height">250px</param>

            <!-- Begin the drill down custom coding -->

             <!-- Start Simple results header -->
             <!-- For any query, use this to determine your variables and values -->
             <!-- Note, click.value, click.value2, click.name, click.name2 -->
             <module name="SimpleResultsHeader">
                 <param name="entityName">events</param>
                 <!-- Note:  Additional $time$, $count$ here -->
                 <param name="headerFormat">Found $count$ event(s) for field2=$click.value$ and field1=$click.name2$ $time$</param>
             </module>
             <!-- End Simple Results header -->


             <!-- This is an inner chart and search to show statistics on the barchart click -->
             <module name="HiddenSearch">
                <param name="search">source=mysource.log field2=$value2$ field1=$value1$ | timechart count(field2) as MyCount | streamstats avg(MyCount) as AvgCount, min(MyCount) as MinCount, max(MyCount) as MaxCount </param>

                <module name="ConvertToIntention">    
                    <param name="intention">
                        <param name="name">stringreplace</param>

                        <param name="arg">
                            <param name="value2">
                                <param name="value">$click.value$</param>
                            </param>
                        </param>

                        <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
                        <param name="flags">
                          <list>indexed</list>
                        </param>
                    </param>
                    <!-- This inner ConvertToIntention takes care of the second $event$ variable -->     
                    <module name="ConvertToIntention">    
                        <param name="intention">
                            <param name="name">stringreplace</param>
                            <param name="arg">
                                <param name="value1">
                                    <param name="value">$click.name2$</param>
                                </param>
                            </param>
                        <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
                        <param name="flags">
                          <list>indexed</list>
                        </param>
                      </param>

                      <module name="JobProgressIndicator"/>

                      <!-- The inner chart to display -->      
                      <module name="HiddenChartFormatter">
                            <param name="charting.primaryAxisTitle.text">Drilldown Counts</param>
                            <param name="charting.secondaryAxisTitle.text">Count of Events</param>
                            <param name="charting.legend.placement">left</param>
                            <param name="charting.seriesColors">[0x0099FF, 0xCC66FF, 0xFF3333, 0x3333FF]</param>
                            <param name="charting.chart.style">shiny</param>
                            <param name="charting.chart">line</param>
                            <module name="FlashChart">
                                <param name="width">100%</param>
                                <param name="height">150px</param>
                            </module>       
                        </module>
                        <!-- End of inner HiddenChartFormatter -->

                        <!-- Now to add Results -->
                        <module name="Paginator">
                            <param name="entityName">events</param>
                            <param name="maxPages">10</param>
                            <module name="EventsViewer">
                                <param name="segmentation">full</param>
                                <param name="reportFieldLink">report_builder_format_report</param>
                            </module>
                        </module>
                        <!-- End the Results -->

                    </module>
                    <!-- end of second ConvertToIntention -->
                  </module>                       
                  <!-- End of outer ConvertToIntention -->                  
                <!--  End the drilldown custom coding -->
                </module>
                <!-- End Interior HiddenSearch -->
            </module>
            <!-- End of interior FlashChart -->
        </module>
        <!-- End Chart Formatter -->
    </module>
    <!-- End TimeRangePicker -->
</module>
<!-- End Panel 2 -->

View solution in original post

wwhitener
Communicator

More information....

I actually got it to work without Sideview Utils and using multiple variables.

  • I had a split-by clause in my highest level search. So, I ended up using a mix of click.name, click.value, click.name2 & click.value2.
  • In order to capture every variable, I had to nest the ConvertToIntention modules. There's a mightily abbreviated version (in case I forget 😛 ) below.
  • I read somewhere that the drilldown freaks a bit when using the stats command in the parent chart, so I ended up changing my query away from that. However, streamstats seems to work just fine, so I don't know.

Now if I could just figure out how to get the chart to hide the child chart and results--to reverse the drilldown......

Cheers!

<!-- Panel 2 has the overall counts -->
<module name="HiddenSearch" layoutPanel="panel_row2_col1"  autoRun="True">
    <param name="search">source=mysource.log | chart count(field1) over field2 by field1</param>
    <param name="earliest">-1d</param>
    <module name="TimeRangePicker">
      <param name="default">Today</param>
      <param name="searchWhenChanged">True</param>

    <module name="HiddenChartFormatter">
        <param name="charting.primaryAxisTitle.text">(Field2) Counts</param>
        <param name="charting.secondaryAxisTitle.text">Count of Events</param>
        <param name="charting.legend.placement">none</param>
        <param name="charting.chart">column</param>
        <param name="charting.seriesColors">[0xf055FF, 0xfC0000, 0x0FFF66]</param>
        <param name="charting.chart.style">shiny</param>
        <param name="charting.legend.masterLegend" />
        <param name="charting.legend">legend</param>
        <param name="charting.legend.placement">left</param>
        <param name="charting.legend.labelStyle.maximumWidth">500</param>
        <param name="charting.legend.labelStyle.defaultTextFormat">{italic:true,size:14}</param>
        <module name="JobProgressIndicator" />

        <!-- This is the totals chart to click on -->
        <module name="FlashChart">
            <param name="width">75%</param>
            <param name="height">250px</param>

            <!-- Begin the drill down custom coding -->

             <!-- Start Simple results header -->
             <!-- For any query, use this to determine your variables and values -->
             <!-- Note, click.value, click.value2, click.name, click.name2 -->
             <module name="SimpleResultsHeader">
                 <param name="entityName">events</param>
                 <!-- Note:  Additional $time$, $count$ here -->
                 <param name="headerFormat">Found $count$ event(s) for field2=$click.value$ and field1=$click.name2$ $time$</param>
             </module>
             <!-- End Simple Results header -->


             <!-- This is an inner chart and search to show statistics on the barchart click -->
             <module name="HiddenSearch">
                <param name="search">source=mysource.log field2=$value2$ field1=$value1$ | timechart count(field2) as MyCount | streamstats avg(MyCount) as AvgCount, min(MyCount) as MinCount, max(MyCount) as MaxCount </param>

                <module name="ConvertToIntention">    
                    <param name="intention">
                        <param name="name">stringreplace</param>

                        <param name="arg">
                            <param name="value2">
                                <param name="value">$click.value$</param>
                            </param>
                        </param>

                        <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
                        <param name="flags">
                          <list>indexed</list>
                        </param>
                    </param>
                    <!-- This inner ConvertToIntention takes care of the second $event$ variable -->     
                    <module name="ConvertToIntention">    
                        <param name="intention">
                            <param name="name">stringreplace</param>
                            <param name="arg">
                                <param name="value1">
                                    <param name="value">$click.name2$</param>
                                </param>
                            </param>
                        <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
                        <param name="flags">
                          <list>indexed</list>
                        </param>
                      </param>

                      <module name="JobProgressIndicator"/>

                      <!-- The inner chart to display -->      
                      <module name="HiddenChartFormatter">
                            <param name="charting.primaryAxisTitle.text">Drilldown Counts</param>
                            <param name="charting.secondaryAxisTitle.text">Count of Events</param>
                            <param name="charting.legend.placement">left</param>
                            <param name="charting.seriesColors">[0x0099FF, 0xCC66FF, 0xFF3333, 0x3333FF]</param>
                            <param name="charting.chart.style">shiny</param>
                            <param name="charting.chart">line</param>
                            <module name="FlashChart">
                                <param name="width">100%</param>
                                <param name="height">150px</param>
                            </module>       
                        </module>
                        <!-- End of inner HiddenChartFormatter -->

                        <!-- Now to add Results -->
                        <module name="Paginator">
                            <param name="entityName">events</param>
                            <param name="maxPages">10</param>
                            <module name="EventsViewer">
                                <param name="segmentation">full</param>
                                <param name="reportFieldLink">report_builder_format_report</param>
                            </module>
                        </module>
                        <!-- End the Results -->

                    </module>
                    <!-- end of second ConvertToIntention -->
                  </module>                       
                  <!-- End of outer ConvertToIntention -->                  
                <!--  End the drilldown custom coding -->
                </module>
                <!-- End Interior HiddenSearch -->
            </module>
            <!-- End of interior FlashChart -->
        </module>
        <!-- End Chart Formatter -->
    </module>
    <!-- End TimeRangePicker -->
</module>
<!-- End Panel 2 -->

RicoSuave
Builder

Can you please post your advanced xml? And are you using Sideview Utils?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...