Solved: onclick Drilldown not working

nivethainspire_ · ‎03-19-2020

When I click the chart my drilldown down is not working. But when I remove the "|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")" eval function. It works fine. Can anyone help me with the issue.
Below is my code snippet.

  <table>
    <title>status</title>
    <search>
      <query>index=* sourcetype=*|fillnull value=""|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")|search $aaa$ | rename status as "Status"|stats count by "Status"|eventstats sum(*) as sum_* |foreach * [eval "%"=round((count/sum_count)*100,2)]|rename count as Count|fields - sum_count</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="totalsRow">false</option>
    <option name="wrap">false</option>
    <format type="color" field="status">
    </format>
    <drilldown>
      <link target="_blank">search?q=index=*sourcetype=*|fillnull value=""|eval AAA=case(like(o,"%Win%"),"Win",like(o,"%Lin%"),"Linux",like(o,"%Missing%"),"Others",like(o,"%So%"),"Sol",like(o,"%AIX%"),"AIX",1=1,"Others")|search  $aaa$ |rename status as "Status" |search "Status"="$click.value$"|stats count by status,aaa&amp;earliest=-24h@h&amp;latest=now</link>
    </drilldown>
  </table>
</panel>

niketn · ‎03-19-2020

@nivethainspire_07 try the following for drilldown link to search. (PS: used match instead of link. By default it is case insensitive but it can be made case sensitive if required).

<link target="_blank">search?q=index=*%20sourcetype=*%20%0A%7C%20fillnull%20value=%22%22%20%0A%7C%20eval%20AAA=case(match(o,%22Win%22),%22Win%22,match(o,%22Lin%22),%22Linux%22,match(o,%22Missing%22),%22Others%22,match(o,%22So%22),%22Sol%22,match(o,%22AIX%22),%22AIX%22,1=1,%22Others%22)%20%0A%7C%20search%20$aaa$%20%0A%7C%20rename%20status%20as%20%22Status%22%20%0A%7C%20search%20%22Status%22=%22$click.value$%22%20%0A%7C%20stats%20count%20by%20status,aaa&amp;earliest=-24h@h&amp;latest=now</link>

PS: index=* sourcetype=* seems very expensive call unless it is just for example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎03-19-2020

@nivethainspire_07 try the following for drilldown link to search. (PS: used match instead of link. By default it is case insensitive but it can be made case sensitive if required).

<link target="_blank">search?q=index=*%20sourcetype=*%20%0A%7C%20fillnull%20value=%22%22%20%0A%7C%20eval%20AAA=case(match(o,%22Win%22),%22Win%22,match(o,%22Lin%22),%22Linux%22,match(o,%22Missing%22),%22Others%22,match(o,%22So%22),%22Sol%22,match(o,%22AIX%22),%22AIX%22,1=1,%22Others%22)%20%0A%7C%20search%20$aaa$%20%0A%7C%20rename%20status%20as%20%22Status%22%20%0A%7C%20search%20%22Status%22=%22$click.value$%22%20%0A%7C%20stats%20count%20by%20status,aaa&amp;earliest=-24h@h&amp;latest=now</link>

PS: index=* sourcetype=* seems very expensive call unless it is just for example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nivethainspire_ · ‎03-20-2020

It worked. Thanks. But I added below query, again I faced the same issue.Can you convert the below snippet to case sencitive?.Thanks in advance
| eval Date=strftime(strptime(Date,"%Y-%m-%d %H:%M:%S.%Q"),"%Y-%m-%d")

niketn · ‎03-20-2020

Try the html encoding for % as the same character was failing for like() function as well.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

onclick Drilldown not working

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!