Dashboards & Visualizations

drilldown on a single value

Mike6960
Path Finder

Hi,

I have a single value in my dashboard, i want users to be able to drilldown on this value. When they do a new search has to be executed. We run version 6.5.2 so we dont yet have the drilldowneditor.

I thougt i just could add this to the source:

drilldown>
search?q=index=zzz earliest=-h sourcetype= "xxx" OR sourcetype="yyyy"

| eval eA_Z=strptime(A_Z,"%Y-%m-%d %H:%M:%S.%N")
| eval eD_A_I=coalesce(strptime(eD_A_I, "%Y-%m-%d %H:%M:%S.%N"),now())
| eval G_w =floor((eD_A_I-eA_Z)/86400)
| search G_w <= 14

But this does not work. Why not?

Tags (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi

Can you please try below drilldown code in Single View?

<single>
        <search>
          <query>index="_internal" | stats count</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">all</option>
        <drilldown>
          <link target="_blank"> <![CDATA[ search?q=index=zzz earliest=-h sourcetype= "xxx" OR sourcetype="yyyy" | eval eA_Z=strptime(A_Z,"%25Y-%25m-%25d %25H:%25M:%25S.%25N") | eval eD_A_I=coalesce(strptime(eD_A_I, "%25Y-%25m-%25d %25H:%25M:%25S.%25N"),now()) | eval G_w =floor((eD_A_I-eA_Z)/86400) | search G_w <= 14&earliest=-15m&latest=now ]]> </link>
        </drilldown>
      </single>

I have used your search in drilldown. So just copy drilldown code and place into your dashboard.

Happy Splunking

0 Karma

Mike6960
Path Finder

Hai Kamlesh, What does this do?

index="_internal" | stats count
Is this a dummy search where i have to put my own initial search? I dont understand the "_internal"
How do you come by the '25Y-%25m-%25d %25H' , what does the number 25 mean?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @Mike6960,

Yes, index="_internal" | stats count is a dummy search.

As you go with your OLD drilldown, you will find javascript error in console (after drilldown page).

I have replaced special character with HTML URL encoding character. In our case, for datetime format, % is replaced with %25;

So I format "%Y-%m-%d %H:%M:%S.%N" to "%25Y-%25m-%25d %25H:%25M:%25S.%25N"

please check below link for more information.

https://www.w3schools.com/tags/ref_urlencode.asp

Happy Splunking

0 Karma

Mike6960
Path Finder

Ok, and what is the purpose of:

0 Karma

Mike6960
Path Finder

I am trying to understand, so i can replicate it next time. How do you come by: !DATA in your search? Why did you use;
G_w <= 14&earliest=-15m&latest=now ?
I want the result that have <= 14 days. I dont understand what you posted

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

is not a part of search.
is used for creating drilldown link with special character.

Some characters have special meaning in Simple XML files. To prevent the source code parser from treating them as special characters, wrap them in tags.

The search used in my code is from your question.

drilldown>
search?q=index=zzz earliest=-h sourcetype= "xxx" OR sourcetype="yyyy" | eval eA_Z=strptime(A_Z,"%Y-%m-%d %H:%M:%S.%N") | eval eD_A_I=coalesce(strptime(eD_A_I, "%Y-%m-%d %H:%M:%S.%N"),now()) | eval G_w =floor((eD_A_I-eA_Z)/86400) | search G_w <= 14

And G_w <= 14 is a part of that search and &earliest=-15m&latest=now is the time frame to execute provided search.

0 Karma

Mike6960
Path Finder

Sadly, still struggling. I used your code but isn't working yet. Is it possible to do this through the drilldowneditor? I tried to use this feature but somehow after saving the search is altered. Is this because the special characters?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI

Yeah, drilldowneditor will change it.

Can you please share panel's xml code? So I can check whether it is due to special character or not.

Please use 101010 when you share code.

Thanks

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

This encoding will not break drilldown URL and execute as per expectation.

Can you please try this?

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Mike6960,
why do you want to insert search in drilldown?
create a new dashboard with your search and launch it in drilldown

<drilldown>
  <link>my_secondary_dashboard?TimeDa=$Time.earliest$&amp;TimeA=$Time.latest$</link>
</drilldown>

From a Single Value you don't have parameters to pass in drilldown, but anyway I suggest to pass time period.
Bye.
Giuseppe

0 Karma

Mike6960
Path Finder

Hi Giuseppe,

Because i have 8 single values in mu dashboard, by passing it down to an 'new' dashboard i would have to maken 8 new dashboards...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Your Single Values have the same search with some specific filter or they are completely different?
if different you have to create one secondary dashboard for each type of dashboard
If same search, put in secondary dashboard panels with the same search and pass as parameter the specific filter of Single Value.
An example:
if you have five SVs with five levels of risk, put in the secondary dashboard a search like this

my_search risk_level=$level$
|.....

and in SV1 drilldowns put

 <drilldown>
   <link>my_secondary_dashboard?level=1&amp;TimeDa=$Time.earliest$&amp;TimeA=$Time.latest$</link>
 </drilldown>

and so on

Bye.
Giuseppe

0 Karma

Mike6960
Path Finder

So in short, its not possible to render a basic search by clicking on a single-value without making a new dashboard?

0 Karma

gcusello
SplunkTrust
SplunkTrust

when you say basic render you're meaning to open the search&reporting dashboard with the same search? in other words like the command "Open in search"?

See in Dashboard Examples how to do this in "Drilldown to search" example.
In simple words put "All" in drilldown toption name

<option name="drilldown">all</option>

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...