Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Help in creating Drill Down for each Bar in a Bar ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help in creating Drill Down for each Bar in a Bar Graph
vrmandadi
Builder
05-31-2016
11:01 PM
Hello Experts,
I am trying to get a drilldown when clicking on a Bar graph for each bar based on its Success and Failure. Below is the XML which I have worked on:
> > <condition field="Authentic">
> <set token="testsDrilldown">index=ABC
> |...</set>
> </condition>
> <condition field="BANK">
> <set token="testsDrilldown">index=ABC|...</set>
>
> </condition>
> <condition field="RTDC">
> <set token="testsDrilldown">index=ABC</set>
>
> </condition>
> </drilldown>
When I click on each of the separate bars which are AUTHENTIC, BANK, RTDC which have Success in blue and Failure in Red color as attached in the screen shot. When click on any of the failure of each type, it should display a table based on the search in the XML.
index=ABC|... is not showing up anything.
The condition should be executed based on AUTHENTIC, BANK, OR RTDC, but it is taking the Success or Failure condition. Can it be done?
<set token="testsDrilldown">index=ABC |...</set>
</condition>
I have tried using IF else conditions, but it did not work. For the drill down to appear, it has three different searches, one for each AUTHENTIC, RTDC, BANK and that is where I am finding difficulty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-02-2016
03:47 PM
Try this
<drilldown>
<eval token="testsDrilldown">case($click.value$="AUTHENTIC", "DO SOMETHING", $click.value$="NULL", "DO SOMETHING ELSE", 1=1, "NO MATCHES")</eval>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-03-2016
03:21 PM
it did not work,it is not showing any drill down instead re directing to a search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-02-2016
07:30 PM
Hi sundareshr
Thanks for the response ,I have tried ,but do we need to place that code for all three cases.I am pretty much new to splunk so can you please explain in detail
<drilldown>
<eval token="testsDrilldown">case($click.value$="AUTHENTIC", "DO SOMETHING", $click.value$="NULL", "DO SOMETHING ELSE", 1=1, "NO MATCHES")</eval>
</drilldown>
Do we need to change the value in $click.value$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-02-2016
07:47 PM
I would suggest creating three panels. One for Success, one for Failure and one for "" and show/hide accordingly. Here is an example of how you can achieve that...
<chart>
<drilldown>
<eval token="success">if($click.value$="AUTHENTIC", "success", null())</eval>
<eval token="success">if($click.value$="somethingelse", "failure", null())</eval>
<eval token="other">if($click.value$="", "other", null())</eval>
</drilldown>
</chart>
</row>
<row>
<panel depends="$success$">
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" transaction_log.trl_action_response_code!=0 | eval run="$success$ | mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | search endpoint_message_log{}.eml_req_conn_uri=AUTHENTIC
</query>
</search>
</table></panel></row>
<row>
<panel depends="$failure$">
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_pb_response_code!=0 | eval run="$failure$ | mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri| eval category=if('ews_transaction_log.ews_pb_response_code'="0","Success","Failure") | search endpoint_message_log{}.eml_req_conn_uri=BANK
</query>
</search>
</table></panel></row>
This will only execute the search corresponding to the token and keep the panel hidden if the token is not set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-02-2016
11:11 PM
I have tried but I have not got any luck on that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-03-2016
12:07 PM
Here is a RUN ANYWHERE sample. Copy to a new dashboard. It should work. You can edit the searches to your requirement. EDITED to use the queries you have provided.
Here is a RUN ANYWHERE sample. Copy to a new dashboard. It should work. You can edit the searches to your requirement
<dashboard>
<label>Help in Drill -Down for each Bar in a Bar Graph</label>
<row>
<panel>
<chart>
<search>
<query>your search to display bar chart with success/failure.</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<drilldown>
<eval token="success">if($click.value$="AUTHENTIC" AND $click.name2$="Failure", "success", null())</eval>
<eval token="failure">if($click.value$="BANK" AND $click.name2$="Failure", "failure", null())</eval>
<eval token="other">if($click.value$!="RTDC" AND $click.name2$="Failure", "other", null())</eval>
</drilldown>
<option name="charting.chart">bar</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
<row>
<panel depends="$success$">
<title>SUCCESS Criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" transaction_log.trl_action_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri
| table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:DepositingBankDCD%231 WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri |rename endpoint_message_log{}.eml_req_conn_uri as CONN | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | search CONN=AUTHENTIC</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel depends="$failure$">
<title>FAILURE criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_pb_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:PayingBankDCDTestHarness%231 WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel depends="$other$">
<title>OTHER criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_rtdc_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:RTDC%231 WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if(' ews_transaction_log.ews_rtdc_response_code '="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN |search CONN=RTDC</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-03-2016
02:31 PM
sundareshr
Thank You so much for putting so much effort into this,I just want to confirm one thing that ,In the attachment which has
AUTHENTIC
BANK
RTDC
When I click on the Authentic Failure it should display the results of the query below via drilldown
index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" transaction_log.trl_action_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri
| table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri |rename endpoint_message_log{}.eml_req_conn_uri as CONN | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | search CONN=AUTHENTIC
when I click on BANK failure it should display the results of the query below via drilldown
index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_pb_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN
when I click on RTDC failure it should display the results of the query below via drilldown
index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_rtdc_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*RTDC%231* WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if(' ews_transaction_log.ews_rtdc_response_code '="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN |search CONN=RTDC
and the query for the attachment is the below one
index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri=*DepositingBankDCD%231* | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*BankDCDTestHarness%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*RTDC%231*" | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name|search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=0 | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category | append [search index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri="*PayingBankDCDTestHarness%231*" | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*RTDC%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" | table transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name,endpoint_message_log{}.eml_req_conn_uri |search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=000 | replace *PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category] |append [search index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri=*RTDC%231* | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*PayingBankDCDTestHarness%231" | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name|search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=000 | replace connection:*RTDC%231 WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_rtdc_response_code'="000","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category] |fillnull value=0
Is this the same you have understood or its different, I am sorry if I posted too many, just want to confirm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-03-2016
02:51 PM
What if user clicks on BANK success? I edited the above example to show only on FAILURE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-03-2016
02:54 PM
We no need to have any drill down on success of them,we just want a drill down on the failure of each of them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-03-2016
03:04 PM
Help in Drill -Down for each Bar in a Bar Graph
<panel>
<chart>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri=*DepositingBankDCD%231* | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*BankDCDTestHarness%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*RTDC%231*" | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name|search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=0 | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category | append [search index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri="*PayingBankDCDTestHarness%231*" | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*RTDC%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" | table transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name,endpoint_message_log{}.eml_req_conn_uri |search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=000 | replace *PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category] |append [search index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" endpoint_message_log{}.eml_req_conn_uri=*RTDC%231* | mvexpand endpoint_message_log{}.eml_req_conn_uri | search "endpoint_message_log{}.eml_req_conn_uri"!="*DepositingBankDCD%231*" "endpoint_message_log{}.eml_req_conn_uri"!="*PayingBankDCDTestHarness%231" | table endpoint_message_log{}.eml_req_conn_uri,transaction_log.trl_action_response_code,ews_transaction_log.ews_pb_response_code, ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_service_name|search ews_transaction_log.ews_service_name=*| search ews_transaction_log.ews_primary_client_id = *|search ews_transaction_log.ews_paying_bank_id=* | fillnull value=000 | replace connection:*RTDC%231 WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_rtdc_response_code'="000","Success","Failure") | chart count by endpoint_message_log{}.eml_req_conn_uri ,category] |fillnull value=0 </query>
<earliest>all</earliest>
<latest>now</latest>
</search>
<drilldown>
<eval token="success">if($click.value$="AUTHENTIC" AND $click.name2$="Failure", "success", null())</eval>
<eval token="failure">if($click.value$="BANK" AND $click.name2$="Failure", "failure", null())</eval>
<eval token="other">if($click.value$!="RTDC" AND $click.name2$="Failure", "other", null())</eval>
</drilldown>
<option name="charting.chart">bar</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-03-2016
03:10 PM
<title>SUCCESS Criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" transaction_log.trl_action_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri
| table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*DepositingBankDCD%231* WITH AUTHENTIC IN endpoint_message_log{}.eml_req_conn_uri |rename endpoint_message_log{}.eml_req_conn_uri as CONN | eval category=if('transaction_log.trl_action_response_code'="0","Success","Failure") | search CONN=AUTHENTIC
<earliest>all</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel depends="$failure$">
<title>FAILURE criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_pb_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_pb_response_code,ews_transaction_log.ews_primary_client_id ,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*PayingBankDCDTestHarness%231* WITH BANK IN endpoint_message_log{}.eml_req_conn_uri | eval category=if('ews_transaction_log.ews_pb_response_code'="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN |search CONN=BANK</query>
<earliest>all</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel depends="$other$">
<title>OTHER criteria met</title>
<table>
<search>
<query>index=test_dev source="/var/log/rtn/dcd_new_sample_data_for_splunk_dashboard.json" ews_transaction_log.ews_rtdc_response_code!=0| mvexpand endpoint_message_log{}.eml_req_conn_uri | table endpoint_message_log{}.eml_req_conn_uri,ews_transaction_log.ews_rtdc_response_code,ews_transaction_log.ews_primary_client_id,ews_transaction_log.ews_paying_bank_id,ews_transaction_log.ews_item_id,_time ,transaction_log.trl_message_uid | replace connection:*RTDC%231* WITH RTDC IN endpoint_message_log{}.eml_req_conn_uri | eval category=if(' ews_transaction_log.ews_rtdc_response_code '="000","Success","Failure") |rename endpoint_message_log{}.eml_req_conn_uri as CONN |search CONN=RTDC</query>
<earliest>all</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-03-2016
03:13 PM
Did this work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-03-2016
03:20 PM
It did not work,when clicked it was not showing any drill down but it is opening a search.I dont think the token is passing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-03-2016
03:17 PM
nope,i think the token is not passing and the drill down is not enabled,since I dont see any drill down when clicked it is going to a search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
06-01-2016
12:14 PM
Is It possible in Splunk to get drill down on each bar with each bar having a separate query
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
