Dashboards & Visualizations

Why are tokens not replaced in Events drilldown?

krdo
Communicator

Hi,

I have the following dashboard (for demo purposes only):

<form>
  <label>EventDrilldown</label>
  <fieldset submitButton="false">
    <input type="time" token="timeRange">
      <label></label>
      <default>
        <earliest>-5m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=* | head 3</query>
          <earliest>$timeRange.earliest$</earliest>
          <latest>$timeRange.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">table</option>
      </event>
    </panel>
  </row>
</form>

When you click in a cell the automatic drilldown takes me to the search dashboard but does not set the correct time range; It seems like the tokens are not replaced, resulting in an invalid time range:

alt text

Does anyone know why this is happening? I'm pretty sure this worked before...

Kind regards,
Dominik

PS: I'm on splunk enterprise V6.5.2 (but this happens on my local splunk free installation too)

0 Karma
1 Solution

niketn
Legend

[Updated Answer]
Change your Search query to the following and it should work (use earliest and latest with tokens in your base search rather than search tags:

     <search>
       <query>index=_internal sourcetype=splunkd earliest=$timeRange.earliest$ latest=$timeRange.latest$| head 3</query>
       <earliest></earliest>
       <latest></latest>
       <sampleRatio>1</sampleRatio>
     </search>

table.drilldown options takes only True or False values

<option name="table.drilldown">True</option>

You are using both table.drilldown as well as raw.drilldown. Please check which one you actually need.

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

[Updated Answer]
Change your Search query to the following and it should work (use earliest and latest with tokens in your base search rather than search tags:

     <search>
       <query>index=_internal sourcetype=splunkd earliest=$timeRange.earliest$ latest=$timeRange.latest$| head 3</query>
       <earliest></earliest>
       <latest></latest>
       <sampleRatio>1</sampleRatio>
     </search>

table.drilldown options takes only True or False values

<option name="table.drilldown">True</option>

You are using both table.drilldown as well as raw.drilldown. Please check which one you actually need.

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

krdo
Communicator

table.drilldown options takes only True or False values
According to http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML it takes the values all and none, although the Simple XML validator indicates that a boolean value is required.

You are using both table.drilldown as well as row.drilldown.
I use table.drilldown and raw.drilldown . And list.drilldown. All three were created when I saved a search as dashboard panel. Changing table.drilldown to a boolean value and removing the others resulted in the same error (because the time range tokens are not replaced when performing a drilldown).

Refer to Drilldown Event example in Splunk 6.x Dashboard Examples app.
Neither the Drilldown Event nor the Events Viewer Element examples use tokens. Therefore they don't really help here.

Were you able to reproduce the problem?

0 Karma

niketn
Legend

@krdo I have updated my answers with the earliest and latest time to be included in the base search.
Sorry row.drilldown was a typo... I corrected that also. Please try out the query and it should work fine... Let me know otherwise... I will mark this as a comment for the community to pick up and answer!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

krdo
Communicator

Thanks @niketnilay, using earliest & latest in the search query actually did the trick!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...