Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown condition match tag not working for query itself as a token

akarivaratharaj
Communicator
‎08-31-2017 04:05 AM

I am trying to make drill down in the same dashboard of Splunk Enterprise 6.4.2 version.
In the panel1, there is a pie chart with two options namely FileInspector and UMB. I am taking the input of clicked value, token as "feature" from panel1 and passing it to panel2.
In the condition part if my token $feature$ = "FileInspector", then I am setting a Query1 itself as a token called "$querytocall$". If the token $feature$ = "UMB", then setting other Query2 to the same token "$querytocall$".

At last I am passing that token "$querytocall$" itself as a search query for the Panel2. But this is not working. My panel2 is showing as "waiting for the input". Below is the code

    <drilldown>
      <set token="feature">$click.value$</set>
    </drilldown>
  </chart>
</panel>
<panel depends="$feature$">
  <title>$feature$ - Exception From Hosts Details</title>
  <chart>
    <change>
      <condition match="$feature$ == &quot;FileInspector&quot; ">
        <set token="querytocall">index=x | rex "Caused by: (?P<exception>[^\"](.+?)(.+?):)" |stats count(exception) as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
      <condition match="$feature$ == &quot;UMB&quot; ">
        <set token="querytocall">index=y |stats count as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
    </change>
    <search>
      <query>$querytocall$</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>

Could anyone please help me on this.

Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎08-31-2017 04:26 AM

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎08-31-2017 04:26 AM

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>
0 Karma
Reply
Solved! Jump to solution

akarivaratharaj
Communicator
‎08-31-2017 04:39 AM

Hi rjthibod,

Thankyou so much for your response.

It is working now.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...