Splunk Search

How to keep fields after a chart command for use in dynamic drilldown

splunker56
New Member

If I have a table like this:

TestName          , OS        , IsSuccessfull,             , TestID
T1                , Windows   , True                       , 1
T1                , Linux     , True                       , 2
T2                , Windows   , False                      , 3
T2                , Linux     , False                      , 4

I can chart the data and get something like this:

| chart latest(IsSuccessfull) over TestName by OS
TestName, Windows, Linux
T1      , True   , True
T2      , False  , False

From here I would like to be able to drilldown to another dashboard which gives more detail about a specific test when given the TestID but the problem is the chart command removes all the fields it doesn't use so TestID disappears.

<drilldown>
    <link> /app/TESTING/TestDetails?TestID=$row.TestID$</link> <--- Can't do this
</drilldown>

Is there a way I can keep the associated TestID when I'm not displaying it in the table? Or is there some other way to do this?

Any help much appreciated!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is the value of OS field fixed (mean only very specific OS names) ? What are you doing with result of chart command, showing in a table?

0 Karma

splunker56
New Member

The OS fields are populated by the data so they are not "fixed" but there are only a limited amount that I am expecting.

Yes, the chart command gets displayed in a table just like the second one in my original question.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

And are you doing a row level drilldown or cell level? Since there can be multiple OS, for a TestName (one row), there will be multiple TestIDs, so if you're doing a row level drilldown, you want all TestIDs?

0 Karma

splunker56
New Member

That's a good point. Actually I think I need the cell level drilldown because I want the one TestID corresponding with the latest instance of a test against an OS. So maybe I need something like $cell.TestID$ ? I'll look into this on Monday.

0 Karma

niketn
Legend

From your question you seem to be passing TestID from table to another dashboard. However, if you perform statistical function you will get multiple values for T1 there are two test IDs 1 and 2. Please confirm what is the expected behavior.

The above drilldown that you have defined should work directly with first table that you have mentioned in the question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

splunker56
New Member

Yep, the drilldown does work from the first table. If I can though, I'd like to display the data in the second format (after the chart command) while still being able to drilldown using the TestID.

To give more context to the data, the TestID is actually a unique guid generated per test run and the tests are python scripts so for example I might run the same test five times against Windows and get something like this:

TestName , OS , IsSuccessfull, TestID , _time
sync_test.py , Windows , True , ff744f19-47d9-4e1f-895c-53329f2ad715 , 10:20
sync_test.py , Windows , False , bd4b8519-1f29-4905-a283-5e7e81f8425b , 10:15
sync_test.py , Windows , False , a65f8aa7-b96f-4403-9647-e05912503f2f , 10:10
sync_test.py , Windows , True , 17e87c6a-4411-4e29-af4e-61c829272e8c , 10:05
sync_test.py , Windows , True , bad81240-b797-4244-bf05-166311830d3f , 10:00

The only one I care about and want to display in my table is the latest one so in this case I should get
TestName , Windows
sync_test.py , True

Hope that makes sense.

0 Karma

niketn
Legend

When you print out in table using simple xml fields option you can hide the column you want to use for drill down but not show to the user. However, at some point of time you need to have logical name for your test IDs so that user can select the same. In your case you can keep that as _time.

Edit Simple XML Dashboards and add the following for your table

<fields>TestName,OS,IsSuccessfull,_time</fields>

This way you will not display TestID, but you can use the same for your Drilldown

<drilldown>
     <link> /app/TESTING/TestDetails?TestID=$row.TestID$</link> 
</drilldown>

For reference, you can check out Table Element with Hidden Fields Example in Simple XML Examples App

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...