Hi All,
Could you help me on creating a drilldown table that will list all the ticket number based on the value of the resolution profile in another table.
Please see below my search query.
serach query...| stats count by u_resolution_profiles | sort -count | rename count as "Number" u_resolution_profiles as "Resolution Profile"
Table view that is from my stats command:
Resolution Profile | Number
User Maintenance | 100
Thanks in advance
@NicoloPunzalan24, you can check out Splunk Dashboard Examples app which contains a lot of different types of drilldown possible in Splunk.
From Splunk Enterprise 6.6 onward, Drilldown can be customized directly from UI. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
Also refer to documentation for default tokens available in table drilldown
: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#table_.28event_tokens.2...
Following is a run anywhere dashboard similar to your question to mock the drilldown from source table to destination. Additionally depends
attribute has been used to hide the table until a row from first table is clicked.
<dashboard>
<label>Drilldown from one table to another</label>
<row>
<panel>
<table>
<title>Main Table (Click Row to Drilldown)</title>
<search>
<query>index="_internal" sourcetype="splunkd" log_level!="INFO"
| stats count as "Number" by component
| sort - Number
| rename component as "Resolution Profile"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="tokResolutionProfile">$row.Resolution Profile$</set>
</drilldown>
</table>
<table depends="$tokResolutionProfile$">
<title>Drilldown Table</title>
<search>
<query>| makeresults
| fields - _time
| eval "Resolution Profile"="$tokResolutionProfile$"
</query>
</search>
</table>
</panel>
</row>
</dashboard>
@NicoloPunzalan24, you can check out Splunk Dashboard Examples app which contains a lot of different types of drilldown possible in Splunk.
From Splunk Enterprise 6.6 onward, Drilldown can be customized directly from UI. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
Also refer to documentation for default tokens available in table drilldown
: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#table_.28event_tokens.2...
Following is a run anywhere dashboard similar to your question to mock the drilldown from source table to destination. Additionally depends
attribute has been used to hide the table until a row from first table is clicked.
<dashboard>
<label>Drilldown from one table to another</label>
<row>
<panel>
<table>
<title>Main Table (Click Row to Drilldown)</title>
<search>
<query>index="_internal" sourcetype="splunkd" log_level!="INFO"
| stats count as "Number" by component
| sort - Number
| rename component as "Resolution Profile"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="tokResolutionProfile">$row.Resolution Profile$</set>
</drilldown>
</table>
<table depends="$tokResolutionProfile$">
<title>Drilldown Table</title>
<search>
<query>| makeresults
| fields - _time
| eval "Resolution Profile"="$tokResolutionProfile$"
</query>
</search>
</table>
</panel>
</row>
</dashboard>