All Apps and Add-ons

Problem with drilldown in a timechart using Advanced XML and Sideview Utils

wpreston
Motivator

I'm creating a dashboard (my first one) that will show a number of charts, each one populated by a PostProcess search feeding from one main datacube search. For each chart, I'd like the drilldown action to just display the events relative to the click in the flashtimeline view. I have one chart created so far, but I cannot get the drilldown to work correctly using the Sideview Utils Redirector module. When I click on a point in the timechart, the flashtimeline view opens up but does not perform any search. The url for the flashtimeline shows http://MyDevServer:8000/en-US/app/MyApp/flashtimeline?q=

What am I doing wrong in the Redirector module? Or is the problem somewhere else? Below is the xml I'm using, any help is greatly appreciated.

<view autoCancelInterval="90" isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" stylesheet="Metrics.css">
<label>Metrics single table test</label>

<module name="AccountBar" layoutPanel="appHeader" />

<module name="AppBar" layoutPanel="appHeader" />

<module name="SideviewUtils" layoutPanel="appHeader" />

<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="maxSize">2</param>
<param name="clearOnJobDispatch">False</param>
</module>

<module name="HTML" layoutPanel="viewHeader">
<param name="html"><![CDATA[
<h1>Metrics - defaulted to a rolling 30 day window</h1>
]]></param>
</module>

<!-- URLLoader module -->
<module name="URLLoader" layoutPanel="viewHeader" autoRun="True">

  <!-- Set the time range for the entire search -->
    <module name="TimeRangePicker" layoutPanel="mainSearchControls">
        <param name="selected">Last 30 days</param>
        <param name="searchWhenChanged">False</param>

        <!-- Primary search.  This will gather all the needed data for the charts.  The charts themselves use a postProcess to slice up the data. -->
        <module name="Search" layoutPanel="mainSearchControls" autoRun="False">
            <param name="search"> my search terms | stats count by foo, bar, baz, _time </param>

            <!--Submit the search. -->
            <module name="Button" layoutPanel="mainSearchControls">
                <param name="allowSoftSubmit">False</param>                     
                <param name="allowAutoSubmit">False</param>                     

                <!-- Post Process search to create a timechart -->
                <module name="PostProcess" layoutPanel="panel_row1_col1" group="Passages by Location over Time">
                    <param name="search">search my post process search | timechart count by foo limit=30</param>
                    <module name="HiddenChartFormatter">
                        <param name="charting.chart">line</param>
                        <param name="primaryAxisTitle.text">Time</param>
                        <param name="secondaryAxisTitle.text">Count</param>
                        <param name="legend.placement">bottom</param>
                        <module name="JSChart">
                            <param name="height">500px</param>
                            <module name="Redirector">
                                <param name="url">flashtimeline</param>
                                <param name="popup">True</param>
                                <param name="arg.q">$click.searchTerms$</param>
                            </module> <!--  Redirector -->
                        </module>
                        <module name="JobProgressIndicator" />
                    </module> <!-- HiddenChartFormatter -->
                </module> <!-- PostProcess Module -->
            </module> <!--Button -->
        </module> <!-- Search module -->
    </module> <!--TimeRangePicker-->
</module> <!-- URLLoader -->
</view>
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

It looks like the logic that creates the more advanced $click.searchTerms$ key does not know to account for the possible presence of limit=30 in timechart clauses. Since the code errs on the side of not creating the key in cases where it lacks certainty, the key is blank.

One point in general about $click.searchTerms$ though, is that it will literally just be the searchterms from the drilldown click -- for example if the report is showing chart count over username by status, and you click on the block representing the "mildred" user's "404" status values, then $click.searchTerms$ will be user="mildred" status="404". So it won't include all the other searchterms that might or might not be crucial for your drilldown search to work correctly.

In any event, the answer right now for you, is to use the legacy $click.name2$ key to grab the clicked-upon value of "foo", and to not use the $click.searchTerms$ key.

<module name="Redirector">
  <param name="url">flashtimeline</param>
  <param name="popup">True</param>
  <param name="arg.q">search (other search terms here) sourcetype="$click.name2$"</param>
  <param name="arg.earliest">$search.timeRange.earliest$</param>
  <param name="arg.latest">$search.timeRange.latest$</param>
</module>

And another note - to pick up the timerange, the _time component of drilldowns works in a completely different way. Basically the chart and table modules will always pick up and switch out the timerange automatically, so believe it or not you don't have to, and shouldn't try to worry about it. But the burden is on you the dashboard-developer to pass along the earliest= and latest= values in the Redirector module, so that they end up in the URL. I've done that in the Redirector XML above so that your selected timeRange will get passed along as well.

I'll add a testcase or two to cover the "limit=30" case, such that in some near-future release of Sideview utils, timechart and chart searches with the limit keyword will have working $click.searchTerms$ keys.

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

It looks like the logic that creates the more advanced $click.searchTerms$ key does not know to account for the possible presence of limit=30 in timechart clauses. Since the code errs on the side of not creating the key in cases where it lacks certainty, the key is blank.

One point in general about $click.searchTerms$ though, is that it will literally just be the searchterms from the drilldown click -- for example if the report is showing chart count over username by status, and you click on the block representing the "mildred" user's "404" status values, then $click.searchTerms$ will be user="mildred" status="404". So it won't include all the other searchterms that might or might not be crucial for your drilldown search to work correctly.

In any event, the answer right now for you, is to use the legacy $click.name2$ key to grab the clicked-upon value of "foo", and to not use the $click.searchTerms$ key.

<module name="Redirector">
  <param name="url">flashtimeline</param>
  <param name="popup">True</param>
  <param name="arg.q">search (other search terms here) sourcetype="$click.name2$"</param>
  <param name="arg.earliest">$search.timeRange.earliest$</param>
  <param name="arg.latest">$search.timeRange.latest$</param>
</module>

And another note - to pick up the timerange, the _time component of drilldowns works in a completely different way. Basically the chart and table modules will always pick up and switch out the timerange automatically, so believe it or not you don't have to, and shouldn't try to worry about it. But the burden is on you the dashboard-developer to pass along the earliest= and latest= values in the Redirector module, so that they end up in the URL. I've done that in the Redirector XML above so that your selected timeRange will get passed along as well.

I'll add a testcase or two to cover the "limit=30" case, such that in some near-future release of Sideview utils, timechart and chart searches with the limit keyword will have working $click.searchTerms$ keys.

0 Karma

wpreston
Motivator

Thanks for the response and bonus information, sideview; that did the trick! I did end up refining the search like you suggested as well. I'll keep an eye out for the updated sideview utils. Thanks again for the detailed response!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...