Dashboards & Visualizations

Custom Drill-down from Total Row

splunkrocks2014
Communicator

I have a statistic table showed below.

vendor        low     medium       high
----------    -----   ------------ -------
V1            1       2             3
V2            2       4             5
Total         3       6             8

I set up a custom drill-down, for instance, for the vendor column, how can I set up a condition when clicked "Total" and it passes "*" to the custom drill-down? Thanks.

<drilldown>
     <link field="vendor">
         /app/my_app/details?form.vendor=$row.vendor$
     </link>
</drilldown>
0 Karma
1 Solution

niketn
Legend

alt text
Please try the following to default the vendor form token to asterix * in case clicked field value is Total. Assuming your app name is my_app and view name is details

<drilldown>
  <condition match="$row.vendor$==&quot;Total&quot;">
    <link>/app/my_app/details?form.vendor=*</link>
  </condition>
  <condition>
    <link>/app/my_app/details?form.vendor=$row.vendor$</link>
  </condition>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

alt text
Please try the following to default the vendor form token to asterix * in case clicked field value is Total. Assuming your app name is my_app and view name is details

<drilldown>
  <condition match="$row.vendor$==&quot;Total&quot;">
    <link>/app/my_app/details?form.vendor=*</link>
  </condition>
  <condition>
    <link>/app/my_app/details?form.vendor=$row.vendor$</link>
  </condition>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

splunkrocks2014
Communicator

The condition is never triggered.

0 Karma

niketn
Legend

You column name is vendor right?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Following is a run anywhere example just change the App Name and Dashboard Name. In fact even if you do not have right app and dashboard you should be able to see the values being sent as Selected vendor column value or asterisk in case the same is Total.

    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd
| eval vendor=log_level
| stats count by vendor
| addcoltotals labelfield=vendor</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <drilldown>
          <condition match="$row.vendor$==&quot;Total&quot;">
            <link>app/<myappname>/<MyTestDashboard>/form.Vendor=*</link>
          </condition>
          <condition>
            <link>app/<myappname>/<MyTestDashboard>/form.Vendor=$row.vendor$</link>
          </condition>
        </drilldown>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>

If you want to test out whether the tokens are being set properly instead of link you can use set or eval for the same and print out the token using html

<eval token="SelectedField">if($row.vendor=="Total","*",$row.vendor)</eval>

Following is example of html section.

Selected Field Name: $SelectedField$

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

splunkrocks2014
Communicator

Still ... the total is never triggered.

0 Karma

niketn
Legend

I have attached a screenshot with Total clicked and some other value clicked and printed using the following code. Can you try the following code? Can you ensure that you have your field value being tested for row.vendor is placed under dollar sign? Also the double quote in condition block should be escaped as written in the query. Value of Total being matched is case sensitive so if you are printing Total in loswer case you should mention the same as $row.vendor$. (Field Names are always case sensitive, so make sure vendor is lower case not upper. Try out the following code as it should run anywhere(query is on Splunk's _internal index so as far as you have access to query the same it should work.)

     <panel>
       <table>
         <search>
           <query>index=_internal sourcetype=splunkd
 | eval vendor=log_level
 | stats count by vendor
 | addcoltotals labelfield=vendor</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <drilldown>
           <condition match="$row.vendor$==&quot;Total&quot;">
             <set token="myTest">form.Vendor=*</set>
           </condition>
           <condition>
             <set token="myTest">form.Vendor=$row.vendor$</set>
           </condition>
         </drilldown>
         <option name="count">20</option>
         <option name="dataOverlayMode">none</option>
         <option name="drilldown">cell</option>
         <option name="percentagesRow">false</option>
         <option name="rowNumbers">false</option>
         <option name="totalsRow">false</option>
         <option name="wrap">true</option>
       </table>
       <html>
         <p>My Test Token=$myTest$</p>
       </html>
     </panel>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@splunkrocks2014 Were you able to try the example provided?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

splunkrocks2014
Communicator

Hi niketnilay,

Thank you very much for your help.

I think I found the problem. The root cause is we use the older version of Splunk (6.3.5) which does not work at all; however, it works perfectly for the version 6.5.2. I have to look if there are any alternates. Thanks again.

splunkrocks2014
Communicator

That's correct.

It works if clicked on a non-total cell. Also, I removed the second condition and directly clicked on "Total", and it just ran the default Splunk query.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...