Dashboards & Visualizations

Is there any option to return to the main pie chart after performing drill down by clicking a slice of the pie chart

sumandebnath23
Explorer

Hello,
I have created a pie chart in a simple dashboard. The pie chart has several slices for different values of a field.

For example, the pie chart consists of three slices referring to data of three countries (India , USA , UK). When i am clicking on one slice(e.g. India), it is showing the data for India. But from here on, i am not able to return to the main pie chart that was created to show data for all three countries (i.e. the main pie chart)

We are using Splunk 6.6 version

Can anyone help me in this case?

Tags (1)
1 Solution

rajim
Path Finder

@sumandebnath23 in Splunk 6.6 and onwards, you can use the drilldown facility as below.

    <drilldown>
      <eval token="policy_type">if(policy_type==$click.value$,"%",$click.value$)</eval>
    <drilldown>

Add this code in your panel and then click on the pie slice to drill down or come out from drill down to original pie chart. It works fine. Hope this solve your problem.

View solution in original post

sumandebnath23
Explorer

Below is the button configuration:

  <title>Workstations per Policy Type</title>
  <html depends="$policy_type$">
      <button class="btn" data-unset-token="policy_type">Reset Drilldown</button>
  </html>
  <chart depends="$policy_type$">
    <search>
      <query>index="<index_name>" source=”<Source Name>" earliest=-90d
0 Karma

rajim
Path Finder

@sumandebnath23 in Splunk 6.6 and onwards, you can use the drilldown facility as below.

    <drilldown>
      <eval token="policy_type">if(policy_type==$click.value$,"%",$click.value$)</eval>
    <drilldown>

Add this code in your panel and then click on the pie slice to drill down or come out from drill down to original pie chart. It works fine. Hope this solve your problem.

cmerriman
Super Champion

i use a button to reset my drilldowns. you can stick it in the panel that is being displayed after clicking the original chart. This is assuming the token in your original search is called country. change what you need, but this should add a button that when clicked will reset the drilldown.

    <panel>
      <html depends="$country$">
         <button class="btn" data-unset-token="country">Reset Drilldown</button>
     </html>
      <table depends="$country$">
        <title>New Panel - Country Drilldown</title>
        <search>
          <query>.....
0 Karma

sumandebnath23
Explorer

Hi @cmerriman,

I have tried this option. Button is appearing in panel but not resetting the chart.
Below is the code. Please help me to resolve this issue.

Compliance Dashboard
Compliance Dashboard.

<input type="dropdown" token="policy_type">
  <label>Policy Type</label>
  <choice value="%">All</choice>
  <choice value="Unprotected">Unprotected</choice>
  <choice value="Monitoring">Monitoring</choice>
  <choice value="Blocking">Blocking</choice>
  <default>%</default>
  <initialValue>%</initialValue>
</input>


<panel>
  <title>Workstations per Policy</title>
  <table>
    <search>
      <query>index="<Index Name>" source=”<Source Name> " earliest=-90d

| eval Unq_Policy = mvdedup(Policy)
| eval First_Byte = substr(Unq_Policy,1,1)
| eval Policy_Type = case(First_Byte="0","Unprotected" , First_Byte="1","Monitoring", 1=1,"Blocking")
| rename "Device Name" as DeviceName
| eval Workstation = mvdedup(DeviceName)
| eval drpDownVal = "$policy_type$"
| where like (Policy_Type,drpDownVal)
| dedup Workstation Unq_Policy
| stats count("Workstation") as "Workstation Count" by Unq_Policy, Policy_Type
| rename Unq_Policy as Policies
| table Policies Policy_Type "Workstation Count"
-90d@d
now
1
1d
delay

20
heatmap
none
false
false
true
true



Workstations per Policy Type





index="" source=”" earliest=-90d
| eval Unq_Policy = mvdedup(Policy)
| eval First_Byte = substr(Unq_Policy,1,1)
| eval Policy_Type = case(First_Byte="0","Unprotected" , First_Byte="1","Monitoring", 1=1,"Blocking")
| rename "Device Name" as DeviceName
| eval Workstation = mvdedup(DeviceName)
| eval drpDownVal = "$policy_type$"
| where like (Policy_Type,drpDownVal)
| dedup Workstation Policy_Type
| stats count("Workstation") as "Workstation Count" by Policy_Type
-90d@d
now
1
1d
delay

ellipsisNone
0
visible
visible
visible
linear
linear
0
inherit
pie
50
10
area
gaps
none
0.01
default
shiny
{"Unprotected": 0x900C3F, "Monitoring": 0xC70039, "Blocking":0xFF5733}
all
0
0
ellipsisMiddle
right
0
1
large
_aggregation

$click.value$


0 Karma

cmerriman
Super Champion

not all of the xml was formatted properly, so i can't quite see how the drilldown button is set up.

0 Karma

sumandebnath23
Explorer

Hi ,
Thanks for reply.

I am able to drill down but not finding any option to navigate back to original chart after drill down.

could you please help in that case.

0 Karma

niketn
Legend

You can customize pie chart drilldown as per your needs. There are several Drilldown Examples discussed in Splunk 6.x Dashboard Examples App in Splunkbase (https://splunkbase.splunk.com/app/1603/).

Following is a run anywhere example with Splunk's _internal index which will show the count of errors by component. Through drilldown I am passing the selected field name and value to second search and displaying top 10 records in a table.

        <drilldown>
            <set token="tok_component">$click.name$</set>
            <set token="tok_value">$click.value$</set>
        </drilldown>

Since you are on Splunk 6.6, you will have option to edit drilldown directly from UI Panel Edit, you can see a list of tokens available and create your tokens directly from the UI. (Refer to documenation on Drilldown and Drilldown default tokens:
https://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#drilldown)

  <row>
    <panel>
      <chart>
        <title>Errors by Component (Pie Chart)</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| stats count by component
| sort - count
| head 5</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
            <set token="tok_component">$click.name$</set>
            <set token="tok_value">$click.value$</set>
        </drilldown>
      </chart>
    </panel>
    <panel>
      <table>
        <title>Top 10 Results for $tok_component$="$tok_value$"</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO $tok_component$="$tok_value$"
| head 10
| table _time component _raw</query>
        </search>
        <option name="rowNumbers">true</option>
        <option name="wrap">false</option>
      </table>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...