All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Three charts to the same panel

t_laios
Engager
‎11-01-2012 02:28 AM

Hello, I am new to the forum, please forgive me for that if I make a mistake.
I made the following code and I want the drilldown to show me a table each time you select a field from the pie charts.

I tried this example but did not work.

http://splunk-base.splunk.com/answers/56050/eventsviewer-drilldowns-from-2-charts-update-the-same-pa...

CODE

<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="search">`networkindex` type=ips  | top limit=10 attack_name</param>
    <module name="HiddenChartFormatter">
      <param name="charting.chart">pie</param>
      <module name="JobProgressIndicator"/>

      <!-- here's the FlashChart that we'll click on -->
      <module name="FlashChart">
        <param name="width">100%</param>
        <param name="height">180px</param>
        <param name="enableResize">False</param>

        <!-- we swap out the search to be a timechart.  -->
        <module name="HiddenSearch">
          <param name="search">`networkindex` type=ips | fields _time attack_name src_ip dest_ip src_port dest_port dest_app | fields - _raw </param>
          <!-- this module will grab the value we clicked on and put it in as a searchterm,   series="someSourcetype".   -->
          <module name="ConvertToIntention" layoutPanel="panel_row4_col1">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="attack_name">$click.value$</param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>
            </param>

            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>
               <module name="Pager">
                       <param name="count">10</param>
                 <module name="SimpleResultsTable">
                        <param name="drilldown">row</param>
            </module>
          </module>
        </module>
    </module>
        </module>
      </module>
    </module>

    <module name="HiddenSearch" layoutPanel="panel_row1_col2" group="Top 10 Users" autoRun="True">
    <param name="search">`networkindex` type=ips user!=n/a | top limit=10 user | fields user, count</param> 
    <param name="groupLabel">Top 10 Users</param>

    <module name="ViewstateAdapter">
    <module name="HiddenFieldPicker">
        <param name="strictMode">True</param>
        <module name="JobProgressIndicator">
        <module name="EnablePreview">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="HiddenChartFormatter">
                <param name="charting.chart">bar</param>
                <module name="FlashChart">
                    <param name="width">100%</param>
                        <param name="enableResize">true</param>

                                <module name="HiddenSearch">
          <param name="search">`networkindex` type=ips user!=n/a | fields _time user src_ip dest_ip src_port dest_port dest_app | fields - _raw </param>

          <!-- this module will grab the value we clicked on and put it in as a searchterm,   series="someSourcetype".   -->
          <module name="ConvertToIntention" layoutPanel="panel_row4_col1">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="user">$click.value$</param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>
            </param>

            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>
               <module name="Pager">
                       <param name="count">10</param>
                 <module name="SimpleResultsTable">
                        <param name="drilldown">row</param>
            </module>
          </module>
        </module>
    </module>
        </module>
      </module>
    </module>

                            </module>
                        </module>   
                </module>
            </module>

        </module>

    <module name="HiddenSearch" layoutPanel="panel_row3_col1" group="Service" autoRun="True">
    <param name="search">`networkindex` type=ips | table dest_app | chart count(dest_app) over dest_app </param>    
    <param name="groupLabel">Service</param>

    <module name="ViewstateAdapter">
    <module name="HiddenFieldPicker">
        <param name="strictMode">True</param>
        <module name="JobProgressIndicator">
        <module name="EnablePreview">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="HiddenChartFormatter">
                <param name="charting.chart">pie</param>
                <module name="FlashChart">
                    <param name="width">100%</param>
                        <param name="enableResize">true</param>

                        <module name="HiddenSearch">
          <param name="search">`networkindex` type=ips | fields _time dest_app src_ip dest_ip src_port dest_port | fields - _raw </param>
          <!-- this module will grab the value we clicked on and put it in as a searchterm,   series="someSourcetype".   -->
          <module name="ConvertToIntention" layoutPanel="panel_row4_col1">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="dest_app">$click.value$</param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>
            </param>

            <!-- finally, we render the search in another FlashChart, and we throw in a JobProgressIndicator for good measure. -->
            <module name="JobProgressIndicator"></module>
               <module name="Pager">
                       <param name="count">10</param>
                 <module name="SimpleResultsTable">
                        <param name="drilldown">row</param>
            </module>
          </module>
        </module>
    </module>
        </module>
      </module>
    </module>

                </module>
            </module>
        </module>
        </module>

    <module name="Tabs" layoutPanel="panel_row3_col2" autoRun="True">
        <param name="name">selectedTab</param>
        <param name="staticTabs">
          <list>
        <param name="label">Attacks</param>
        <param name="value">attack_name</param>
          </list>
          <list>
        <param name="label">Service</param>
        <param name="value">dest_app</param>
          </list>
          <list>
        <param name="label">Source IP</param>
        <param name="value">src_ip</param>
          </list>
          <list>
        <param name="label">Destination IP</param>
        <param name="value">dest_ip</param>
          </list>
          <list>
        <param name="label">User</param>
        <param name="value">user</param>
          </list>

        </param>


        <module name="Search">    
        <param name="search">`networkindex` type=ips | stats  sparkline count by $selectedTab$ | sort -count</param>  
        <module name="Pager">
        <param name="count">10</param>
          <module name="SimpleResultsTable">
            <param name="drilldown">row</param>
          </module>
        </module>
         </module>
Reply

sideview
SplunkTrust
SplunkTrust
‎06-28-2013 11:44 PM

You are using Sideview Utils in some places, and not in others, which I think is most of your confusion.

I went ahead and quickly cleaned up your view, and took out places where you were still using intentions, replaced HiddenSearch modules with Search.

Also a lot of your config looks like it was once upon a time converted from "simple xml". Unfortunately the splunk simple xml system has a number of longstanding bugs in it, such that the equivalent Advanced XML, once converted, has a bunch of meaningless or redundant params and modules in it, and it always has 4 extra layers of indentation. I've removed these as well.

You might want to double check all the layoutPanels because I might have messed those up as I was cleaning things up and removing modules. 

<module name="AccountBar" layoutPanel="appHeader" />

<module name="AppBar" layoutPanel="appHeader" />

<module name="SideviewUtils" layoutPanel="appHeader" />

<module name="Message" layoutPanel="messaging">
  <param name="filter">*</param>
  <param name="maxSize">2</param>
  <param name="clearOnJobDispatch">False</param>
</module>

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search"><![CDATA[
    `networkindex` type=ips  | top limit=10 attack_name
  ]]></param>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">pie</param>

    <module name="JobProgressIndicator" />

    <module name="FlashChart">
      <param name="width">100%</param>
      <param name="height">180px</param>
      <param name="enableResize">False</param>

      <module name="Search">
        <param name="search">`networkindex` type=ips attack_name="$click.value$" | fields _time attack_name src_ip dest_ip src_port dest_port dest_app | fields - _raw </param>

        <module name="JobProgressIndicator" />

        <module name="Pager">

          <module name="SimpleResultsTable" />
        </module>
      </module>
    </module>
  </module>
</module>

<module name="Search" layoutPanel="panel_row1_col2" group="Top 10 Users" autoRun="True">
  <param name="search">`networkindex` type=ips user!=n/a | top limit=10 user | fields user, count</param>

  <module name="JobProgressIndicator" />

  <module name="EnablePreview">
    <param name="enable">True</param>
    <param name="display">False</param>
  </module>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">bar</param>

    <module name="FlashChart">
      <param name="width">100%</param>
      <param name="enableResize">true</param>

      <module name="Search">
        <param name="search">`networkindex` type=ips user="$click.value$" | fields _time user src_ip dest_ip src_port dest_port dest_app | fields - _raw </param>

        <module name="JobProgressIndicator"  layoutPanel="panel_row4_col1"/>

        <module name="Pager" layoutPanel="panel_row4_col1">

          <module name="SimpleResultsTable" />
        </module>
      </module>
    </module>
  </module>
</module>

<module name="Search" layoutPanel="panel_row3_col1" group="Service" autoRun="True">
  <param name="search">`networkindex` type=ips | table dest_app | chart count(dest_app) over dest_app </param>

  <module name="JobProgressIndicator" />

  <module name="EnablePreview">
    <param name="enable">True</param>
    <param name="display">False</param>
  </module>

  <module name="HiddenChartFormatter">
    <param name="charting.chart">pie</param>

    <module name="FlashChart">
      <param name="width">100%</param>
      <param name="enableResize">true</param>

      <module name="Search">
        <param name="search">`networkindex` type=ips dest_app="$click.value$" | fields _time dest_app src_ip dest_ip src_port dest_port | fields - _raw </param>

        <module name="JobProgressIndicator"  layoutPanel="panel_row4_col1"/>

        <module name="Pager" layoutPanel="panel_row4_col1">

          <module name="SimpleResultsTable" />
        </module>
      </module>
    </module>
  </module>
</module>

<module name="Tabs" layoutPanel="panel_row3_col2" autoRun="True">
  <param name="name">selectedTab</param>
  <param name="staticTabs">
    <list>
      <param name="label">Attacks</param>
      <param name="value">attack_name</param>
    </list>
    <list>
      <param name="label">Service</param>
      <param name="value">dest_app</param>
    </list>
    <list>
      <param name="label">Source IP</param>
      <param name="value">src_ip</param>
    </list>
    <list>
      <param name="label">Destination IP</param>
      <param name="value">dest_ip</param>
    </list>
    <list>
      <param name="label">User</param>
      <param name="value">user</param>
    </list>
  </param>

  <module name="Search">
    <param name="search">`networkindex` type=ips | stats  sparkline count by $selectedTab$ | sort -count</param>

    <module name="Pager">

      <module name="SimpleResultsTable">
        <param name="drilldown">row</param>
      </module>
    </module>
  </module>
</module>
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...