Dashboards & Visualizations

how to extract a change_link from _raw depending on the datapoint a user click on in a line graph?

isplunk2999
Path Finder

Hi
I insert the data in the following JSON format and create a linegraph over _time,each of the circle markers in the line graph represent the count field over _time ,what I am looking for is depending on the datapoint the user clicks on, I want to pull the URL from change_link.

How do I set a variable (url) based on what the user click on to extract the change_link and then use this variable in the link_target?

How do I pull the url from a nested json ?how to set a token based on what they clicked on and extract the change_link and then you use that token as your link_target?

Please advise

_raw = {
    "Analyze":{
        "P5":{"count":"","change_link":""}
    },
    "timestamp": int(time.time())  # Can also use datetime.datetime.now().isoformat()
} 

alt text

Following is my code
CODE:

<dashboard>
  <label>radar_trend_test_report</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=indexname  sourcetype=sourcetype | chart values(Analyze.P5.count) as P5  over _time</query>
          <earliest>@w0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>

isplunk2999
Path Finder

I tried as below but when I click on the circle marker I get Page not found! ,I need some guidance from here

<drilldown>
   <set token="url">| eval url=spath(_raw, "Analyze.P5.$click.value${}.change_link")</set>
   <link target="_blank">$url$</link>
</drilldown>
0 Karma

niketn
Legend

When the drilldown URL is constructed what should it look like. When you use chart command you drop raw data, what do you imply by url token that you are trying to set? Instead of creating a link, can you print the $url$ token in Splunk dashboard? Also what is the URL in the browser when you see "Page not found"?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

isplunk2999
Path Finder

Hey @niketn :

Answers below

1.When the drilldown URL is constructed what should it look like?
[Answer] URL is already in change_link, we just need to take that , am trying to pull that.

2.When you use chart command you drop raw data, what do you imply by url token that you are trying to set?
[Answer]I am trying to set a variable (url) based on what the user click and to extract the change_link value from raw data. Then use this variable in the link_target,all I need is depending on the datapoint the user click on I want to pull the URL from change_link,if there are simpler ways to achieve it I am open to that.

3.Instead of creating a link, can you print the $url$ token in Splunk dashboard? Also what is the URL in the browser when you see "Page not found"?
[Answer]Please elaborate ,like I said above all I need is depending on the datapoint the user click on I want to pull the URL from change_link value from raw data ,if there are simpler ways to achieve it I am open to that.

0 Karma

niketn
Legend

@isplunk2999 as per the above code when you chart P5 counts you loose the value of URL hence can not do a drilldown to URL.

If however, this was a table you could have used <fields> attributed in the table to hide URL from being displayed and user could have clicked on P5 to drilldown through the hidden url field.

You can refer to Splunk Dashboard Examples app for this hidden url field in table for drilldown example. Please let us know if you need assistance with this.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...