How to pass my current search result as a variable...

svemurilv · ‎01-10-2017

Hi
I have a two panel dashboard. If I select the process from the first panel, then I want the process related logs to be displayed in between the time range will display in the second panel
i have used dynamic drilldown to display the _raw data in the second panel

process         START_TIME          END_TIME            Duration            PID
PR_FileWorker_AA    01/10/17 01:00:01   01/10/17 01:03:49   227         30387
PR_FileWorker_AA    01/09/17 13:15:01   01/09/17 13:15:43   42          11077

in my drilldown panel search would be like , search based on the process related all the logs should display between START_TIME, END_TIME time frame i need to pass Process, START_TIME, END_TIME are the variables for the drilldown panel

somesoni2 · ‎01-10-2017

What you need is the contextual drilldown (in-page drilldown) where you'll set tokens to capture process, START_TIME and END_TIME from the row that user has clicked and pass it on to the second panel search. See this for an example for it.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Understandbasictableandchartdrilldownactions#C...

svemurilv · ‎01-10-2017

HI soni,
First thanks for reply.
what am exactly expecting is. first search giving process,START_TIME ,END_TIME . and i want to pass those process ,START_TIME and END_TIME to the Contextual drilldown pannels search inputs queary like
source =source Process=$process START_TIME=$START_TIME$ END_TIME=$END_TIME$

somesoni2 · ‎01-10-2017

Yes, the example in the link shows you exactly the same, but with just one field being passed. What you need to do is to just 3 <set token= for your 3 fields that you want to pass and use the query the way you described in above comment.

How to pass my current search result as a variable to the next dynamic drilldown search?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!