Dashboards & Visualizations

Drilldown condition match tag not working for query itself as a token

akarivaratharaj
Communicator

I am trying to make drill down in the same dashboard of Splunk Enterprise 6.4.2 version.
In the panel1, there is a pie chart with two options namely FileInspector and UMB. I am taking the input of clicked value, token as "feature" from panel1 and passing it to panel2.
In the condition part if my token $feature$ = "FileInspector", then I am setting a Query1 itself as a token called "$querytocall$". If the token $feature$ = "UMB", then setting other Query2 to the same token "$querytocall$".

At last I am passing that token "$querytocall$" itself as a search query for the Panel2. But this is not working. My panel2 is showing as "waiting for the input". Below is the code

    <drilldown>
      <set token="feature">$click.value$</set>
    </drilldown>
  </chart>
</panel>
<panel depends="$feature$">
  <title>$feature$ - Exception From Hosts Details</title>
  <chart>
    <change>
      <condition match="$feature$ == &quot;FileInspector&quot; ">
        <set token="querytocall">index=x | rex "Caused by: (?P<exception>[^\"](.+?)(.+?):)" |stats count(exception) as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
      <condition match="$feature$ == &quot;UMB&quot; ">
        <set token="querytocall">index=y |stats count as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
    </change>
    <search>
      <query>$querytocall$</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>

Could anyone please help me on this.

1 Solution

rjthibod
Champion

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>

View solution in original post

0 Karma

rjthibod
Champion

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>
0 Karma

akarivaratharaj
Communicator

Hi rjthibod,

Thankyou so much for your response.

It is working now.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...