Splunk Search

How to drilldown from table with specific search?

sdickerson
New Member

I am displaying a table list and I would like to be able to click an individual row in the list and display a chart for latency. Below is my current dashboard code:

Apigee Status Dashboard

<input type="time" token="APITime" searchWhenChanged="true">
  <label>Time</label>
  <default>
    <earliestTime>-7d@d</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>
<input type="radio" token="envselect">
  <label>Apigee Environment</label>
  <choice value="mock">MOCK</choice>
  <choice value="dev">DEV</choice>
</input> 

<panel>
  <table>
    <title>Apigee HTTP Status Codes</title>
    <searchString>index=apigee host=$envselect$ | eval xStatuscode=coalesce(tonumber('response.status.code'),tonumber('error.status.code'),tonumber('statuscode')) | top limit=0 xStatuscode showperc=f</searchString>
    <earliestTime>$APITime.earliest$</earliestTime>
    <latestTime>$APITime.latest$</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">50</option>
  </table>
</panel>  

<panel>
  <table>
    <title>API Proxy List</title>
    <searchString>index=apigee host=$envselect$ | stats count by apiproxy.name</searchString>
    <earliestTime>$APITime.earliest$</earliestTime>
    <latestTime>$APITime.latest$</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">50</option>

  </table>
</panel>

In the last section I am generating a list from the apiproxy.name field. What I would like is to be able to drilldown on an individual row and have it display the following chart:

index=apigee sourcetype=_json "apiproxy.name"=GetQuoteServices_v1_Manual | timechart span=1m avg(latencyTarget) avg(latencyProxy) avg(latencyTotal)

I am not really sure where to begin on this as I have never attempted it before. I assume this would be a drilldown but where would I add the notation for it to do this functionality? Any and all help is appreciated.

Tags (3)
0 Karma

rajyah
Communicator
0 Karma

pkeenan87
Communicator

You will need to set a token on the drilldown and then create another panel that is dependent on that token, in other words it wont be visible until you click on one of the apiproxy.name fields. Here is some example code (you may need to modify it depending on whether or not you want a line chart etc.):

 <panel>
 <table>
 <title>API Proxy List</title>
 <searchString>index=apigee host=$envselect$ | stats count by apiproxy.name</searchString>
 <earliestTime>$APITime.earliest$</earliestTime>
 <latestTime>$APITime.latest$</latestTime>
 <option name="wrap">true</option>
 <option name="rowNumbers">true</option>
 <option name="dataOverlayMode">none</option>
  <drilldown>
      <set token="showChart">$row.apiproxy.name$</set>
  </drilldown>
 <option name="count">50</option>

 </table>
 </panel>

<panel depends="$showChart$">
  <title>$showChart$</title>
  <chart>
    <search>
      <query>index=apigee sourcetype=_json "apiproxy.name"=$showChart$ | timechart span=1m avg(latencyTarget) avg(latencyProxy) avg(latencyTotal)</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="charting.chart">line</option>
    <option name="charting.drilldown">none</option>
  </chart>
</panel>

You can do most of this through the UI, here is the link to the docs: https://docs.splunk.com/Documentation/Splunk/7.2.4/Viz/ContextualDrilldown

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...