Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- When I click a value in a cell, why instead of sho...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shan
Builder
07-17-2018
04:32 AM
Hai Friends,
Need your help in getting more idea about below topics.
In cell level drilldown. When i click a value in a cell, instead of showing single drilldown panel its showing me two drilldown panels. Because the cell(column) where i click have some decency with another cell(column) before it .. So both the drilldown panels are showing up.
Even though it has dependency i don't want two panel to be shown at the same time when i click single cell value .. when i click a particular cell . I want that particular drilldown panel need to be shown.
I know i can resolve this with condition and unset token option as advised by one of my good friend . But I'm unable to achieve it.
can someone please help me with a example or sample code for it ..
code provided below is sample code .
<form>
<label>shankar cell level drill down search by frn</label>
<row>
<panel>
<table>
<search>
<query>index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| stats count by _time log_level component</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="log_level">$row.log_level$</set>
<set token="component">$row.component$</set>
<set token="count">$row.count$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>$component$ Summary</title>
<input type="checkbox" token="tokReset" searchWhenChanged="true">
<label></label>
<change>
<unset token="log_level"></unset>
<unset token="form.tokReset"></unset>
</change>
<choice value="hide">Hide Details</choice>
<delimiter> </delimiter>
</input>
<table depends="$log_level$,$component$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$" AND component ="$component$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">
</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>$log_level$ Summary</title>
<table depends="$log_level$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">
</link>
</drilldown>
</table>
</panel>
</row>
</form>
Thanks in advance
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-17-2018
06:05 AM
Hi ,
Are you looking for something like this? I removed extra check box and added drilldown in detailed table itself to hide - click on detailed table to hide it.
<form>
<label>shankar cell level drill down search by frn</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| stats count by _time log_level component</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<condition field="log_level">
<set token="log_depend">true</set>
<set token="log_level">$row.log_level$</set>
<set token="component">$row.component$</set>
<unset token="component_depend"></unset>
</condition>
<condition field="component">
<set token="component">$row.component$</set>
<set token="component_depend">true</set>
<set token="log_level">$row.log_level$</set>
<unset token="log_depend"></unset>
</condition>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Component $component$ Summary</title>
<table depends="$component_depend$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$" AND component ="$component$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="component_depend"></unset>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Log Level $log_level$ Summary</title>
<table depends="$log_depend$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="log_depend"></unset>
</drilldown>
</table>
</panel>
</row>
</form>
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-17-2018
06:05 AM
Hi ,
Are you looking for something like this? I removed extra check box and added drilldown in detailed table itself to hide - click on detailed table to hide it.
<form>
<label>shankar cell level drill down search by frn</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| stats count by _time log_level component</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<condition field="log_level">
<set token="log_depend">true</set>
<set token="log_level">$row.log_level$</set>
<set token="component">$row.component$</set>
<unset token="component_depend"></unset>
</condition>
<condition field="component">
<set token="component">$row.component$</set>
<set token="component_depend">true</set>
<set token="log_level">$row.log_level$</set>
<unset token="log_depend"></unset>
</condition>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Component $component$ Summary</title>
<table depends="$component_depend$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$" AND component ="$component$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="component_depend"></unset>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Log Level $log_level$ Summary</title>
<table depends="$log_depend$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="log_depend"></unset>
</drilldown>
</table>
</panel>
</row>
</form>
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shan
Builder
07-17-2018
10:47 PM
@renjith.nair Thank you very much for your response :-).. Yes i expect this one ..
I need to add one more column in the drilldown option. How to achieve it ..
I need help in achieving it ..
If i need to go with two more column filter in same drill down how can i achieve it ..
<form>
<label>shankar cell level drill down search by frn</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| stats count by _time log_level component</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<condition field="log_level">
<set token="log_depend">true</set>
<set token="log_level">$row.log_level$</set>
<set token="component">$row.component$</set>
<unset token="component_depend"></unset>
</condition>
<condition field="component">
<set token="component">$row.component$</set>
<set token="component_depend">true</set>
<set token="log_level">$row.log_level$</set>
<unset token="log_depend"></unset>
</condition>
<condition field="_time">
<set token="_time">$row._time$</set>
<set token="tracktime">true</set>
<set token="log_level">$row.log_level$</set>
<unset token="log_depend"></unset>
</condition>
</drilldown>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>$_time$ Summary</title>
<table depends="$tracktime$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$" AND _time ="$_time$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="tracktime"></unset>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Component $component$ Summary</title>
<table depends="$component_depend$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$" AND component ="$component$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="component_depend"></unset>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Log Level $log_level$ Summary</title>
<table depends="$log_depend$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="log_depend"></unset>
</drilldown>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-18-2018
08:41 AM
Are you looking for something similar? If not just mention which token should go where
<form>
<label>shankar cell level drill down search by frn</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| stats count by _time log_level component</query>
<earliest>-24h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<condition field="log_level">
<set token="log_depend">true</set>
<set token="log_level">$row.log_level$</set>
<set token="component">$row.component$</set>
<unset token="component_depend"></unset>
<unset token="tracktime"></unset>
</condition>
<condition field="component">
<set token="component">$row.component$</set>
<set token="component_depend">true</set>
<set token="log_level">$row.log_level$</set>
<unset token="log_depend"></unset>
<unset token="tracktime"></unset>
</condition>
<condition field="_time">
<set token="time">$row._time$</set>
<set token="tracktime">true</set>
<set token="log_level">$row.log_level$</set>
<unset token="log_depend"></unset>
<unset token="component_depend"></unset>
</condition>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>$time$ Summary</title>
<table depends="$tracktime$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$" AND _time =strptime("$time$","%Y-%m-%dT%H:%M:%S.%3N%:z")
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="tracktime"></unset>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Component $component$ Summary</title>
<table depends="$component_depend$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$" AND component ="$component$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="component_depend"></unset>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Log Level $log_level$ Summary</title>
<table depends="$log_depend$">
<search>
<query>
index="_internal" sourcetype="splunkd" log_level!="INFO"
| bin span=1h _time
| where log_level="$log_level$"
| stats count by _time log_level component
| table log_level component _time count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<unset token="log_depend"></unset>
</drilldown>
</table>
</panel>
</row>
</form>
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shan
Builder
07-19-2018
02:17 AM
@ renjith.nair -- Thank you very much for your detail explanation 🙂 ..
Yes i got what i needed ..
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
