hi
I use the code below in order to display a pie chart
As you can see in the screenshot, I have 2 sections (in yellow color)
What I need is that by clicking on a section, I display the related datas in a drilldown
You can see below, my drilldown XML but anything happen.....
`CPU`
| fields process_cpu_used_percent host process_name
| where process_cpu_used_percent>80
| dedup host process_name
| lookup TUTU.csv HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc"
OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI", process_name=="conhost", "CMD Windows console", process_name=="csrss"
OR process_name=="System" OR process_name=="TiWorker" OR process_name=="msfeedssync" OR process_name=="msiexec" OR process_name=="rundll32" OR process_name=="services" OR process_name like "svchost%"
OR process_name=="OneDriveSetup" OR process_name=="poqexec" OR process_name=="unsecapp" OR process_name=="TabTip" OR process_name=="Memory_Compression" OR process_name=="SetupHost" OR process_name=="WerFault"
OR process_name=="explorer" OR process_name=="mscorsvw" OR process_name=="sppsvc" OR process_name=="ngen" OR process_name=="spoolsv" OR process_name=="SrTasks" OR process_name=="policyHost"
OR process_name=="dwm" OR process_name=="perf-test-9c" OR process_name like "SearchProtocolHost%" OR process_name like "RuntimeBroker%" OR process_name like "LogonUI%", "Windows native process")
| search host=$tok_filterhost$
| stats count(host) as Total by process_name
| sort -Total limit=10
DRILLDOWN XML
<dashboard>
<label>TEST PROCESS</label>
<row>
<panel>
<chart>
<search>
<query>
`CPU`
| fields process_cpu_used_percent host process_name
| where process_cpu_used_percent>80
| dedup host process_name
| eval PROCESS=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc"
OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI", process_name=="conhost", "CMD Windows console", process_name=="csrss" OR process_name=="System" OR
process_name=="TiWorker" OR process_name=="msfeedssync" OR process_name=="msiexec" OR process_name=="rundll32" OR process_name=="services" OR process_name like "svchost%" OR process_name=="OneDriveSetup"
OR process_name=="poqexec" OR process_name=="unsecapp" OR process_name=="TabTip" OR process_name=="Memory_Compression" OR process_name=="SetupHost" OR process_name=="WerFault" OR process_name=="explorer"
OR process_name=="mscorsvw" OR process_name=="sppsvc" OR process_name=="ngen" OR process_name=="spoolsv" OR process_name=="SrTasks" OR process_name=="policyHost" OR process_name=="dwm"
OR process_name=="perf-test-9c" OR process_name like "SearchProtocolHost%" OR process_name like "RuntimeBroker%" OR process_name like "LogonUI%", "Windows native process")
| stats dc(eval(if(process_cpu_used_percent > 50,host,NULL))) as Total by PROCESS
| where like(PROCESS,"McAFEE") OR like(PROCESS,"Windows native process")
| stats dc(eval(if(process_cpu_used_percent > 50,host,NULL))) as Total by process_name
| sort 0 - Total</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</dashboard>
What is the problem please??
Hi @jip31
Check the below sample, as you said in comment use all
<dashboard>
<label>piechart</label>
<row>
<panel>
<chart>
<search>
<query>index=_internal | stats count by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">all</option>
<drilldown>
<set token="sourcetype">$click.value$</set>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype="$sourcetype$"| stats count by source</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
Hi @jip31
Check the below sample, as you said in comment use all
<dashboard>
<label>piechart</label>
<row>
<panel>
<chart>
<search>
<query>index=_internal | stats count by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">all</option>
<drilldown>
<set token="sourcetype">$click.value$</set>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype="$sourcetype$"| stats count by source</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
<option name="charting.drilldown">none</option>
check this.
but there is already this line...
Thats the problem:
<option name="charting.drilldown">none</option>
means "don't do anything when clicked"
Check this:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/DrilldownIntro
Edit:
Or this:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/DrilldownLinkToSearch#Enable_the_drilldown
so i just add "all" instead "none"?