Hi,
I have a single value in my dashboard, i want users to be able to drilldown on this value. When they do a new search has to be executed. We run version 6.5.2 so we dont yet have the drilldowneditor.
I thougt i just could add this to the source:
drilldown>
search?q=index=zzz earliest=-h sourcetype= "xxx" OR sourcetype="yyyy"
| eval eA_Z=strptime(A_Z,"%Y-%m-%d %H:%M:%S.%N")
| eval eD_A_I=coalesce(strptime(eD_A_I, "%Y-%m-%d %H:%M:%S.%N"),now())
| eval G_w =floor((eD_A_I-eA_Z)/86400)
| search G_w <= 14
But this does not work. Why not?
Hi
Can you please try below drilldown code in Single View?
<single>
<search>
<query>index="_internal" | stats count</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">all</option>
<drilldown>
<link target="_blank"> <![CDATA[ search?q=index=zzz earliest=-h sourcetype= "xxx" OR sourcetype="yyyy" | eval eA_Z=strptime(A_Z,"%25Y-%25m-%25d %25H:%25M:%25S.%25N") | eval eD_A_I=coalesce(strptime(eD_A_I, "%25Y-%25m-%25d %25H:%25M:%25S.%25N"),now()) | eval G_w =floor((eD_A_I-eA_Z)/86400) | search G_w <= 14&earliest=-15m&latest=now ]]> </link>
</drilldown>
</single>
I have used your search in drilldown. So just copy drilldown code and place into your dashboard.
Happy Splunking
Hai Kamlesh, What does this do?
Is this a dummy search where i have to put my own initial search? I dont understand the "_internal"
How do you come by the '25Y-%25m-%25d %25H' , what does the number 25 mean?
Hi @Mike6960,
Yes, index="_internal" | stats count
is a dummy search.
As you go with your OLD drilldown, you will find javascript error in console (after drilldown page).
I have replaced special character with HTML URL encoding character. In our case, for datetime format, %
is replaced with %25
;
So I format "%Y-%m-%d %H:%M:%S.%N"
to "%25Y-%25m-%25d %25H:%25M:%25S.%25N"
please check below link for more information.
https://www.w3schools.com/tags/ref_urlencode.asp
Happy Splunking
Ok, and what is the purpose of:
I am trying to understand, so i can replicate it next time. How do you come by: !DATA in your search? Why did you use;
G_w <= 14&earliest=-15m&latest=now ?
I want the result that have <= 14 days. I dont understand what you posted
is not a part of search.
is used for creating drilldown link with special character.
Some characters have special meaning in Simple XML files. To prevent the source code parser from treating them as special characters, wrap them in tags.
The search used in my code is from your question.
drilldown>
search?q=index=zzz earliest=-h sourcetype= "xxx" OR sourcetype="yyyy" | eval eA_Z=strptime(A_Z,"%Y-%m-%d %H:%M:%S.%N") | eval eD_A_I=coalesce(strptime(eD_A_I, "%Y-%m-%d %H:%M:%S.%N"),now()) | eval G_w =floor((eD_A_I-eA_Z)/86400) | search G_w <= 14
And G_w <= 14
is a part of that search and &earliest=-15m&latest=now
is the time frame to execute provided search.
Sadly, still struggling. I used your code but isn't working yet. Is it possible to do this through the drilldowneditor? I tried to use this feature but somehow after saving the search is altered. Is this because the special characters?
HI
Yeah, drilldowneditor will change it.
Can you please share panel's xml code? So I can check whether it is due to special character or not.
Please use 101010
when you share code.
Thanks
This encoding will not break drilldown URL and execute as per expectation.
Can you please try this?
Thanks
Hi Mike6960,
why do you want to insert search in drilldown?
create a new dashboard with your search and launch it in drilldown
<drilldown>
<link>my_secondary_dashboard?TimeDa=$Time.earliest$&TimeA=$Time.latest$</link>
</drilldown>
From a Single Value you don't have parameters to pass in drilldown, but anyway I suggest to pass time period.
Bye.
Giuseppe
Hi Giuseppe,
Because i have 8 single values in mu dashboard, by passing it down to an 'new' dashboard i would have to maken 8 new dashboards...
Your Single Values have the same search with some specific filter or they are completely different?
if different you have to create one secondary dashboard for each type of dashboard
If same search, put in secondary dashboard panels with the same search and pass as parameter the specific filter of Single Value.
An example:
if you have five SVs with five levels of risk, put in the secondary dashboard a search like this
my_search risk_level=$level$
|.....
and in SV1 drilldowns put
<drilldown>
<link>my_secondary_dashboard?level=1&TimeDa=$Time.earliest$&TimeA=$Time.latest$</link>
</drilldown>
and so on
Bye.
Giuseppe
So in short, its not possible to render a basic search by clicking on a single-value without making a new dashboard?
when you say basic render you're meaning to open the search&reporting dashboard with the same search? in other words like the command "Open in search"?
See in Dashboard Examples how to do this in "Drilldown to search" example.
In simple words put "All" in drilldown toption name
<option name="drilldown">all</option>
Bye.
Giuseppe