I am trying to make drill down in the same dashboard of Splunk Enterprise 6.4.2 version.
In the panel1, there is a pie chart with two options namely FileInspector and UMB. I am taking the input of clicked value, token as "feature" from panel1 and passing it to panel2.
In the condition part if my token $feature$ = "FileInspector", then I am setting a Query1 itself as a token called "$querytocall$". If the token $feature$ = "UMB", then setting other Query2 to the same token "$querytocall$".
At last I am passing that token "$querytocall$" itself as a search query for the Panel2. But this is not working. My panel2 is showing as "waiting for the input". Below is the code
<drilldown>
<set token="feature">$click.value$</set>
</drilldown>
</chart>
</panel>
<panel depends="$feature$">
<title>$feature$ - Exception From Hosts Details</title>
<chart>
<change>
<condition match="$feature$ == "FileInspector" ">
<set token="querytocall">index=x | rex "Caused by: (?P<exception>[^\"](.+?)(.+?):)" |stats count(exception) as "No of Occurences" by host | table host, "No of Occurences"</set>
</condition>
<condition match="$feature$ == "UMB" ">
<set token="querytocall">index=y |stats count as "No of Occurences" by host | table host, "No of Occurences"</set>
</condition>
</change>
<search>
<query>$querytocall$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
Could anyone please help me on this.
This will not work as you have it, because there is no <change>
handler for <chart>
. You need to move the logic for <change>
into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <
, >
, and "
inside the token values. Already changed it for you.
<drilldown>
<condition match="$click.value$ == "FileInspector"">
<set token="feature">$click.value$</set>
<set token="querytocall">index=x | rex "Caused by: (?P<exception>[^\"](.+?)(.+?):)" |stats count(exception) as "No of Occurences" by host | table host, "No of Occurences"</set>
</condition>
<condition match="$click.value$ == "UMB"">
<set token="feature">$click.value$</set>
<set token="querytocall">index=y |stats count as "No of Occurences" by host | table host, "No of Occurences"</set>
</condition>
</drilldown>
</chart>
</panel>
<panel depends="$feature$">
<title>$feature$ - Exception From Hosts Details</title>
<chart>
<search>
<query>$querytocall$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
This will not work as you have it, because there is no <change>
handler for <chart>
. You need to move the logic for <change>
into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <
, >
, and "
inside the token values. Already changed it for you.
<drilldown>
<condition match="$click.value$ == "FileInspector"">
<set token="feature">$click.value$</set>
<set token="querytocall">index=x | rex "Caused by: (?P<exception>[^\"](.+?)(.+?):)" |stats count(exception) as "No of Occurences" by host | table host, "No of Occurences"</set>
</condition>
<condition match="$click.value$ == "UMB"">
<set token="feature">$click.value$</set>
<set token="querytocall">index=y |stats count as "No of Occurences" by host | table host, "No of Occurences"</set>
</condition>
</drilldown>
</chart>
</panel>
<panel depends="$feature$">
<title>$feature$ - Exception From Hosts Details</title>
<chart>
<search>
<query>$querytocall$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
Hi rjthibod,
Thankyou so much for your response.
It is working now.