Dashboards & Visualizations

How can use to post process to drill down ?

rakesh_498115
Motivator

Hi..

I have a base search query from which i am taking results to a postprocess module 1 and plotting a graph now on clickin on the clicking the graph , i am passing the values of the clicked on graph to other post process module 2.

can you please help in this..my code snippnet used is

<module name="Search" layoutPanel="viewHeader" autoRun="False">
    <param name="search">index="mysearch" ( "Request" OR "response" ) | stats count by UniqueId,Channel,ChannelName</param>
        <module name="PostProcess">
        <param name="search">| stats count by Channel</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
            <param name="charting.chart">bar</param>
            <param name="charting.secondaryAxisTitle.text">Request Count</param>
            <param name="charting.legend.placement">right</param>
            <param name="charting.primaryAxisTitle.text">Channel</param>
            <module name="JobProgressIndicator"/>
            <module name="FlashChart">
                <param name="drilldownPrefix">click1</param>
                <param name="width">100%</param>
                <param name="height">300px</param>
                <param name="enableResize">False</param>
                <module name="PostProcess">
                    <param name="search">| search Channel="$channel$" |stats count by UniqueId,ChannelName</param>
                    <module name="ConvertToIntention">
                        <param name="intention">
                            <param name="flags">
                                <item>indexed</item>
                            </param>
                            <param name="name">stringreplace</param>
                    <param name="arg">
<param name="channel">
                        <param name="value">$click1.value$</param>
                                </param>
                            </param>
                        </param>
                    <module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp1">
                            <param name="count">300</param>
                            <param name="displayMenu">True</param>
                            <param name="drilldown">none</param>
                            <param name="displayRowNumbers">true</param>
                        </module>

                    </module>
                </module>
            </module>
        </module>
    </module>
</module>

Please help me !!

Tags (2)

sideview
SplunkTrust
SplunkTrust

Since you're using the Sideview PostProcess module, then you don't need that ConvertToIntention module at all. Delete that ConvertToIntention module and just do this right in the Sideview PostProcess module:

<param name="search">| search Channel="$click1.value$" |stats count by UniqueId,ChannelName</param>

You can also use the Sideview Pager module instead of Paginator, and Pager works with postProcess searches (in that it draws the correct number of page links so as to account for the postprocess search whereas the Paginator does not), so you can safely page your SimpleResultsTable then.

So your whole drilldown config then becomes.

<module name="PostProcess">
  <param name="search">| search Channel="$click1.value$" |stats count by UniqueId,ChannelName</param>
  <module name="Pager" layoutPanel="panel_row2_col1_grp1">
    <module name="SimpleResultsTable">
      <param name="count">300</param>
      <param name="displayMenu">True</param>
      <param name="drilldown">none</param>
      <param name="displayRowNumbers">true</param>
    </module>
  </module>
</module>

okrabbe_splunk
Splunk Employee
Splunk Employee

Try this dashboard out. I did not use PostProcess so if that is necessary it could add another level of complexity.

Try this code out first and then switch in your stats arguements.

   <view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
  <label>drilldown dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader" />
  <module name="AppBar" layoutPanel="appHeader" />      
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
  </module>
   <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">
        index=_internal sourcetype="splunk_web_access" | stats count by status
    </param>
    <param name="earliest">-1h</param>

    <module name="HiddenChartFormatter">
      <param name="charting.chart">bar</param>
      <param name="charting.primaryAxisTitle.text">Sourcetype</param>
      <param name="charting.secondaryAxisTitle.text">KB Indexed</param>
      <param name="charting.legend.placement">none</param>
      <module name="JobProgressIndicator"/>

      <!-- The JSChart containing drilldowns -->
      <module name="JSChart">
        <param name="width">100%</param>
        <param name="height">160px</param>
        <module name="ConvertToIntention">
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="status">$click.value$</param>
            </param>
            <param name="flags"><list>indexed</list></param>
            </param>

        <!-- Swap out the search to a timechart.  -->
        <module name="HiddenSearch">
          <param name="search">
             index=_internal sourcetype="splunk_web_access" | stats count by uri_path, user
          </param>
        <param name="earliest">-1h</param>
          <!-- 
            Grab the value clicked on and put it in a searchterm: series="someSourcetype".
          -->

            <module name="JobProgressIndicator"></module>

            <!-- Throw in a header so the user sees what they clicked. -->
            <module name="SimpleResultsHeader">
              <param name="entityName">results</param>
              <param name="headerFormat">Click value = $click.value$ $time$</param>
            </module> <!-- SimpleResultsHeader -->
            <module name="Paginator">
              <param name="entityName">results</param>
              <param name="maxPages">10</param>

              <module name="SimpleResultsTable">
                <param name="entityName">results</param>
              </module> 
          </module>
          </module> 
        </module> 
      </module> 
    </module> 
  </module> 

</view>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...