Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help On Drill Down Using Avanced XML

lpolo
Motivator
‎03-19-2013 07:09 AM

I have the following data set :

Date        rank    LastQuery   count   percent
03/18/2013  1   THE     51870   2.641512
03/18/2013  2   SEX     12562   0.639728
03/18/2013  3   BIBLE       11629   0.592214
03/18/2013  4   TWILIGHT    10622   0.540932
03/18/2013  5   THE+BIBLE   10136   0.516182
03/18/2013  6   HOUSE       6611    0.336669

I need help to create a drill down by the selected LastQuery using the following query:

Example:User clicked on LastQuery=HOUSE. This query should be used by the drill down:

splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery=HOUSE|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent

This is my xml panel. It works fine. I just need to include the drill down.

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
<module name="StaticContentSample">
<param name="text"><![CDATA[<H1>Top N</H1>]]></param>
</module>
<param name="earliest">-1d@d</param>
<param name="groupLabel">Vespa - Combined Top N Distinct Searches - Yesterday</param>
<param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="latest">@d</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>displayRowNumbers</item>
<item>drilldown</item>
<item>count</item>
</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="entityName">results</param>
<param name="count">10</param>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="displayRowNumbers">true</param>
<param name="count">10</param>
<param name="allowTransformedFieldSelect">True</param>
<module name="Gimp"/>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>

Thanks,
Lp

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-19-2013 03:42 PM

First, it's worth saying that if your advanced XML was ever converted from Simple XML (which most is), then a lot of the XML content and the indentation is actually unnecessary cruft carried along by the conversion process or introduced by the simple XML code itself.

Here's a quickly cleaned up version of the same XML you posted. removing the cruft makes it a bit easier to read. 

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="StaticContentSample">
    <param name="text"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="count">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="displayRowNumbers">true</param>
      <param name="count">10</param>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>

To answer your question, with just the Core Splunk UI I believe you can use the SimpleDrilldown module. 

<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="StaticContentSample">
    <param name="text"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="count">10</param>
    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="displayRowNumbers">true</param>
      <param name="count">10</param>

      <module name="SimpleDrilldown">
        <param name="links">
          <param name="*">/app/search/flashtimeline?q=search splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery="$row.LastQuery$" |sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
        </param>
      </module>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>

Although NOTE 1: that example will result in an all-time search in the flashtimeline view (I'm not sure how you pass the current timerange using the core systems).

and NOTE 2: if you have characters in your search or in the actual $row.LastQuery$ that might need to be url-encoded, I'm not sure what facility SimpleDrilldown has to do that (I suspect none)

And if you're used to using the modules from Sideview Utils, and you have a reasonably current version of Sideview Utils, it would look like this, and it would url-encode weird characters correctly, as well as pass on the drilldown timerange: 

<module name="Hidden" layoutPanel="panel_row5_col1" autoRun="True">
  <param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
  <param name="earliest">-1d@d</param>
  <param name="latest">@d</param>
  <module name="HTML">
    <param name="html"><![CDATA[<H1>Top N</H1>]]></param>
  </module>
  <module name="JobProgressIndicator"/>
  <module name="EnablePreview">
    <param name="display">False</param>
    <param name="enable">True</param>
  </module>
  <module name="Pager">
    <module name="Table">
      <param name="displayRowNumbers">true</param>
      <module name="Redirector">
        <param name="url">flashtimeline</param>
        <param name="arg.q">search splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery="$row.fields.LastQuery$" |sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
        <param name="arg.earliest">$search.timeRange.earliest$</param>
        <param name="arg.latest">$search.timeRange.latest$</param>
      </module>
    </module>
    <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>
Reply

lpolo
Motivator
‎03-20-2013 04:12 AM

Thanks,
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...