Stats table drilldown help

codedtech · ‎09-30-2019

I want to create a drill down that will go from a value on a stats table a time chart for the clicked pool name in a new tab, I've been at this for a few hours now and I can't seem to get it to work.

Here is the current XML:

<panel>
 <table>
 <title>Pool Stats</title>
    <search>
      <query>index=Stuff| SERVER_NAME="$SERVER_NAME$"|dedup POOL_NAME|stats avg(eval(if(PCT_UTILIZED==0,null(),PCT_UTILIZED))) as Used by POOL_NAME|sort -Used | head 10</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="drilldown">row</option>
  </table>

Thanks in advance.

gcusello · ‎10-01-2019

Hi codedtech,
you have to use the web interface or to add thes lines to your source after the option tag:

 <panel>
  <table>
  <title>Pool Stats</title>
     <search>
       <query>index=Stuff| SERVER_NAME="$SERVER_NAME$"|dedup POOL_NAME|stats avg(eval(if(PCT_UTILIZED==0,null(),PCT_UTILIZED))) as Used by POOL_NAME|sort -Used | head 10</query>
       <earliest>0</earliest>
       <latest></latest>
     </search>
     <option name="drilldown">row</option>
     <drilldown>
          <link target="_blank">/app/imy_app/drilldown_dashboard?POOL_NAME=$row.POOL_NAME$</link>
     </drilldown>
     </table>

in this way, in the new dashboard you have to use the token named "POOL_NAME".
If you want to pass also the time borders of your search use the following.

 <drilldown>
      <link target="_blank">/app/imy_app/drilldown_dashboard?TimeFrom=$Time.earliest$&TimeTo=$Time.latest$&POOL_NAME=$row.POOL_NAME$</link>
 </drilldown>

In this case, you have to manage in the second dashboard three tokens.

Remember that for a problem on the editor the "&" char must be translated into "&".

As a guide, you can see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ).

Bye.
Giuseppe

Stats table drilldown help

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes