Dashboards & Visualizations

How to add a drilldown in bar chart with value that is not contained in grouping?

uweiss
Engager

Hello

I have the following chart set up and would like to add a drilldown on a value that is currently not contained in the query.

<panel>
      <title>Runtime</title>
      <chart>
        <search>
          <query>sourcetype=avq_test_case type=run task_templ="$task_templ$" result=$result$ db=$db$
          | eval t_start=strptime(timestamp_start, "%Y-%m-%d %H:%M:%S")
          | eval t_end=strptime(timestamp_end, "%F %H:%M:%S")
          | eval t=(t_end-t_start)
          | chart max(t) as "time in s" by timestamp_start, result
          | rename timestamp_start as "Timestamp"
          | sort t
          </query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.fieldColors">{"Success":0x5BBF46,"Failed":0xF7464A,"Timeout":0x007FFF,"Running":0x64e248,"Submitted":0xd7f453}</option>
      </chart>
    </panel>

The search has a field defined called uuid, however I cannot refer to it in the drilldown link, I tried $row.uuid$ and $uuid$, neither worked.

    <drilldown>
      <link>avaloq_kupima_run_details?form.uuid=$uuid$</link>
    </drilldown>

Is it somehow possible to add a new dimension which can be accessible in the drilldown? Or is it possible to overwrite the value of a bar s.t. I can encode the UUID inside?

One option I looked into was to add instead of the result (which is success/failed) an evaluated variable which contains both the result status and the UUID. Problem with that approach is that I cannot assign the field colors as charting.fieldColors does not support wildcards or regex.

Any ideas?

0 Karma
1 Solution

niketn
Legend

@uweiss hidden fields for drilldown can be created for <table> visualization using Simple XML configuration <fields> which displayed only the listed fields and hides the rest for drilldown. You should check out Table Element With Hidden Fields example from Splunk Dashboard Examples app.

However, getting something similar i.e. hidden field from Chart Drilldown might not be straightforward. You had mentioned in your clarification that each row will have unique UUID associated however, the same is not present in your query. So what is the correlation between each row in your chart which gets corresponding UUID? Can you provide the correlation query?

Following are couple of your options for Drilldown using independent search to set UUID based on clicked Row in Chart and then provide drilldown link using

  1. Link input which allows drilldown only once until the link value changes.
  2. Using Anchor <a> html tag.

alt text

Following is the Simple XML code for run anywhere example based on understanding/information provided so far:

<form>
  <label>Hidden Field Drilldown in Chart</label>
  <search>
    <query>| makeresults
| fields - _time
| eval uuid=case($tokTestName|s$=="Test1","ABC123",$tokTestName|s$=="Test2","DEF123",$tokTestName|s$=="Test3","GHI123",true(),"default")</query>
    <done>
      <set token="tokUUID">$result.uuid$</set>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="link" token="tokDrilldownLink" searchWhenChanged="true" depends="$tokUUID$">
        <label></label>
        <fieldForLabel>Test</fieldForLabel>
        <fieldForValue>uuid</fieldForValue>
        <search>
          <query>| makeresults
| fields - _time
| eval uuid="Show Details For: ".case($tokTestName|s$=="Test1","ABC123",$tokTestName|s$=="Test2","DEF123",$tokTestName|s$=="Test3","GHI123",true(),"default")</query>
        </search>
        <change>
          <link target="_blank">https://www.google.com/search?q=$value$</link>
        </change>
      </input>
      <chart>
        <search>
          <query>| makeresults
            | eval data="TestName=\"Test1\",result=\"Success\";TestName=\"Test2\",result=\"Failed\";TestName=\"Test3\",result=\"In Progress\";"
            | makemv data delim=";"
            | mvexpand data
            | rename data as _raw
            | KV
            | chart count by TestName, result
          </query>
        </search>
        <drilldown>
          <set token="tokTestName">$click.value$</set>
        </drilldown>
      </chart>
      <html depends="$tokUUID$">
        <div>Drilldown Link with UUID:
          <a target="_blank" href="https://www.google.com/search?q=$tokUUID$">Show Details for $tokUUID$</a>
          <unset token="tokUUID"/>
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@uweiss hidden fields for drilldown can be created for <table> visualization using Simple XML configuration <fields> which displayed only the listed fields and hides the rest for drilldown. You should check out Table Element With Hidden Fields example from Splunk Dashboard Examples app.

However, getting something similar i.e. hidden field from Chart Drilldown might not be straightforward. You had mentioned in your clarification that each row will have unique UUID associated however, the same is not present in your query. So what is the correlation between each row in your chart which gets corresponding UUID? Can you provide the correlation query?

Following are couple of your options for Drilldown using independent search to set UUID based on clicked Row in Chart and then provide drilldown link using

  1. Link input which allows drilldown only once until the link value changes.
  2. Using Anchor <a> html tag.

alt text

Following is the Simple XML code for run anywhere example based on understanding/information provided so far:

<form>
  <label>Hidden Field Drilldown in Chart</label>
  <search>
    <query>| makeresults
| fields - _time
| eval uuid=case($tokTestName|s$=="Test1","ABC123",$tokTestName|s$=="Test2","DEF123",$tokTestName|s$=="Test3","GHI123",true(),"default")</query>
    <done>
      <set token="tokUUID">$result.uuid$</set>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="link" token="tokDrilldownLink" searchWhenChanged="true" depends="$tokUUID$">
        <label></label>
        <fieldForLabel>Test</fieldForLabel>
        <fieldForValue>uuid</fieldForValue>
        <search>
          <query>| makeresults
| fields - _time
| eval uuid="Show Details For: ".case($tokTestName|s$=="Test1","ABC123",$tokTestName|s$=="Test2","DEF123",$tokTestName|s$=="Test3","GHI123",true(),"default")</query>
        </search>
        <change>
          <link target="_blank">https://www.google.com/search?q=$value$</link>
        </change>
      </input>
      <chart>
        <search>
          <query>| makeresults
            | eval data="TestName=\"Test1\",result=\"Success\";TestName=\"Test2\",result=\"Failed\";TestName=\"Test3\",result=\"In Progress\";"
            | makemv data delim=";"
            | mvexpand data
            | rename data as _raw
            | KV
            | chart count by TestName, result
          </query>
        </search>
        <drilldown>
          <set token="tokTestName">$click.value$</set>
        </drilldown>
      </chart>
      <html depends="$tokUUID$">
        <div>Drilldown Link with UUID:
          <a target="_blank" href="https://www.google.com/search?q=$tokUUID$">Show Details for $tokUUID$</a>
          <unset token="tokUUID"/>
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

uweiss
Engager

thanks a lot!

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @uweiss , Were you able to test out @renjith.nair 's solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@uweiss,

Try this ,

Set up an input or search and set the token for uuid. Make the element invisible all the time.

For e.g.

<form>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="uuid" depends="$I_WILL_NEVER_SHOW_UP$">
      <label>UUID</label>
      <default>my_uuid</default>
      <initialValue>my_uuid</initialValue>
      <fieldForLabel>uuid</fieldForLabel>
      <fieldForValue>uuid</fieldForValue>
      <search>
       <!-- We need to replace the search here with the actual uuid-->
        <query>|makeresults|eval uuid="my_uuid"|fields uuid</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">avaloq_kupima_run_details?form.uuid=$uuid$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma

uweiss
Engager

Hi Renjith

thanks a lot for your response! I don't understand how this is supposed to work, I believe we have a misunderstanding on what shall be achieved.

every line in the bar chart has a separate UUID, so clicking on one bar in the chart shall generate a different link.

thanks again

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...