Dashboards & Visualizations

Why is the transaction command in dashboard not allowing users to click on the tabled results to see raw events in a new search window?

sbattista09
Contributor

I have a user that can’t click on cell value in a table on a dashboard to open the search into a new search window to see raw events. Is this a bug with the transaction command?

sourcetype=prod_app* app_name=* environment=* source=*logsNstuff.log "Code1:" OR "Code2:" | transaction app_name environment host startswith=Code1 endswith=Code2::  | count table app_name environment
0 Karma

lguinn2
Legend

This is not a bug with the transaction command, it is inherent in how the command works. The transaction command creates a new event from the original events, so there is nowhere to "drill down." If you want a drill-down in the dashboard, you can write a custom drill-down; here is the documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
I generally recommend custom drill-downs for dashboards; they are pretty easy and provide a much cleaner interface for users.
Note that most dashboard panels have an "open in search" magnifying glass; for more sophisticated users, this is an alternative to drill-down that allows them to see the underlying search and manipulate it as desired.

0 Karma

sbattista09
Contributor

Thanks Iguinn, the person creating the dashboard is very knowledgeable but, for other users who only use Splunk for troubleshooting applications the magnifying glass option then editing a raw search may not be the best thing. We will try out creating a custom drill down.

however, Is there a different command we can use to bypass this issue?

0 Karma

lguinn2
Legend

When you need to group events using the startswith= and endswith= options, it is generally very difficult to replace that with stats.
Is there another field that represents something like a "session id" that could be used to group events, instead of the startswith/endswith?

0 Karma

493669
Super Champion

does it happening with only one user or with everyone?

0 Karma

sbattista09
Contributor

its everyone.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...