Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown condition match tag not working for query itself as a token

akarivaratharaj
Communicator
‎08-31-2017 04:05 AM

I am trying to make drill down in the same dashboard of Splunk Enterprise 6.4.2 version.
In the panel1, there is a pie chart with two options namely FileInspector and UMB. I am taking the input of clicked value, token as "feature" from panel1 and passing it to panel2.
In the condition part if my token $feature$ = "FileInspector", then I am setting a Query1 itself as a token called "$querytocall$". If the token $feature$ = "UMB", then setting other Query2 to the same token "$querytocall$".

At last I am passing that token "$querytocall$" itself as a search query for the Panel2. But this is not working. My panel2 is showing as "waiting for the input". Below is the code

    <drilldown>
      <set token="feature">$click.value$</set>
    </drilldown>
  </chart>
</panel>
<panel depends="$feature$">
  <title>$feature$ - Exception From Hosts Details</title>
  <chart>
    <change>
      <condition match="$feature$ == &quot;FileInspector&quot; ">
        <set token="querytocall">index=x | rex "Caused by: (?P<exception>[^\"](.+?)(.+?):)" |stats count(exception) as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
      <condition match="$feature$ == &quot;UMB&quot; ">
        <set token="querytocall">index=y |stats count as "No of Occurences" by  host |  table host, "No of Occurences"</set>
      </condition>
    </change>
    <search>
      <query>$querytocall$</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>

Could anyone please help me on this.

Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎08-31-2017 04:26 AM

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎08-31-2017 04:26 AM

This will not work as you have it, because there is no <change> handler for <chart>. You need to move the logic for <change> into the top-level drilldown section. Try this. Not, you have to use the HTML encoded versions of <, >, and " inside the token values. Already changed it for you.

     <drilldown>
      <condition match="$click.value$ == &quot;FileInspector&quot;">
       <set token="feature">$click.value$</set>
       <set token="querytocall">index=x | rex &quot;Caused by: (?P<exception>[^\&quot;](.+?)(.+?):)&quot; |stats count(exception) as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
      <condition match="$click.value$ == &quot;UMB&quot;">
        <set token="feature">$click.value$</set>
        <set token="querytocall">index=y |stats count as &quot;No of Occurences&quot; by  host |  table host, &quot;No of Occurences&quot;</set>
      </condition>
     </drilldown>
   </chart>
 </panel>
 <panel depends="$feature$">
   <title>$feature$ - Exception From Hosts Details</title>
   <chart>
     <search>
       <query>$querytocall$</query>
       <earliest>$field1.earliest$</earliest>
       <latest>$field1.latest$</latest>
     </search>
0 Karma
Reply
Solved! Jump to solution

akarivaratharaj
Communicator
‎08-31-2017 04:39 AM

Hi rjthibod,

Thankyou so much for your response.

It is working now.

0 Karma
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...