Dashboards & Visualizations

How to pass my current search result as a variable to the next dynamic drilldown search?

svemurilv
Path Finder

Hi
I have a two panel dashboard. If I select the process from the first panel, then I want the process related logs to be displayed in between the time range will display in the second panel
i have used dynamic drilldown to display the _raw data in the second panel

process         START_TIME          END_TIME            Duration            PID
PR_FileWorker_AA    01/10/17 01:00:01   01/10/17 01:03:49   227         30387
PR_FileWorker_AA    01/09/17 13:15:01   01/09/17 13:15:43   42          11077

in my drilldown panel search would be like , search based on the process related all the logs should display between START_TIME, END_TIME time frame i need to pass Process, START_TIME, END_TIME are the variables for the drilldown panel

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What you need is the contextual drilldown (in-page drilldown) where you'll set tokens to capture process, START_TIME and END_TIME from the row that user has clicked and pass it on to the second panel search. See this for an example for it.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Understandbasictableandchartdrilldownactions#C...

0 Karma

svemurilv
Path Finder

HI soni,
First thanks for reply.
what am exactly expecting is. first search giving process,START_TIME ,END_TIME . and i want to pass those process ,START_TIME and END_TIME to the Contextual drilldown pannels search inputs queary like
source =source Process=$process START_TIME=$START_TIME$ END_TIME=$END_TIME$

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes, the example in the link shows you exactly the same, but with just one field being passed. What you need to do is to just 3 <set token= for your 3 fields that you want to pass and use the query the way you described in above comment.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...