Solved: drilldown and merge values

Shark2112 · ‎04-28-2016

Hi there.

I need to merge two values from field and want to drilldown it.
myfield=[q,w,w,e,r,t,t,y] and it take from field extractor.
index="my" | chart count(eval(myfield="q" OR myfield="w")) AS "testfield" by host
so i want count of myfield is 3 and drilldown for search ("index="my" myfield="q" OR myfield="w") but search is: "index="my" host=192.168.1.1

Shark2112 · ‎05-04-2016

i find solution, just need to use eval first and then chart
index=main | eval eventmsg=case("_") | chart count(eventmsg) over host by eventmsg usenull=f

View solution in original post

Shark2112 · ‎05-04-2016

i find solution, just need to use eval first and then chart
index=main | eval eventmsg=case("_") | chart count(eventmsg) over host by eventmsg usenull=f

somesoni2 · ‎04-28-2016

Please provide your current dashboard xml. (specially drilldown section)

Shark2112 · ‎04-28-2016

I want to merge User and VPN logins (success and fail) from different types in one chart and worked drilldown

test

<panel>
  <chart>
    <search>
      <query>index="ciscoindex"  | chart count(eval(slnr="%ASA-3-605004" OR slnr="%SEC_LOGIN-4-LOGIN_FAILED")) AS "Admin Login Fail", count(eval(slnr="%ASA-3-113015" OR slnr="%ASA-3-716039")) AS "VPN Login Fail", count(eval(slnr="%ASA-3-605005" OR slnr="%SEC_LOGIN-4-LOGIN_SUCCESS")) AS "Admin Login Success",  count(eval(slnr="%ASA-3-113015" OR slnr="%ASA-3-722051")) AS "VPN Login Access" by host</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">stacked</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>

drilldown and merge values

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!