Dashboards & Visualizations

Why is the transaction command in dashboard not allowing users to click on the tabled results to see raw events in a new search window?

sbattista09
Contributor

I have a user that can’t click on cell value in a table on a dashboard to open the search into a new search window to see raw events. Is this a bug with the transaction command?

sourcetype=prod_app* app_name=* environment=* source=*logsNstuff.log "Code1:" OR "Code2:" | transaction app_name environment host startswith=Code1 endswith=Code2::  | count table app_name environment
0 Karma

lguinn2
Legend

This is not a bug with the transaction command, it is inherent in how the command works. The transaction command creates a new event from the original events, so there is nowhere to "drill down." If you want a drill-down in the dashboard, you can write a custom drill-down; here is the documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
I generally recommend custom drill-downs for dashboards; they are pretty easy and provide a much cleaner interface for users.
Note that most dashboard panels have an "open in search" magnifying glass; for more sophisticated users, this is an alternative to drill-down that allows them to see the underlying search and manipulate it as desired.

0 Karma

sbattista09
Contributor

Thanks Iguinn, the person creating the dashboard is very knowledgeable but, for other users who only use Splunk for troubleshooting applications the magnifying glass option then editing a raw search may not be the best thing. We will try out creating a custom drill down.

however, Is there a different command we can use to bypass this issue?

0 Karma

lguinn2
Legend

When you need to group events using the startswith= and endswith= options, it is generally very difficult to replace that with stats.
Is there another field that represents something like a "session id" that could be used to group events, instead of the startswith/endswith?

0 Karma

493669
Super Champion

does it happening with only one user or with everyone?

0 Karma

sbattista09
Contributor

its everyone.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...