Dashboards & Visualizations

Using HiddenPostProcess to emulate flashtimeline

snowmizer
SplunkTrust
SplunkTrust

I've got a dashboard I'm building that has a column flashchart displaying port counts for a time range. I need to have the ability to click on a time range and then populate a new chart on the same dashboard with the breakdown of port information for the time range clicked.

Can I use HiddenPostProcess to achieve this behavior or is there a better way?

Thanks.

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

It's totally possible but you wouldnt normally use postProcess to do it. And you'll need to be using the Advanced XML but it sounds like you're there already.

At a high level you put other modules inside the FlashChart. They'll remain hidden until the user clicks the chart.

The UI examples app has some examples around so called 'inline drilldown'. 'inline' meaning where the drilldown is done on the same page instead of redirecting.

Starting at the FlashChart in question, if you're not doing anything fancy and you want the drilldown to show the events that 'correspond to' the given timebucket in the timechart, the config looks like this:

<module name="FlashChart">
  <param name="width">100%</param>
  <param name="height">250px</param>


  <module name="ConvertToDrilldownSearch">

    [[ your tables/charts/headers to render the drilldown search go here]]

  </module>

</module>

If on the other hand you want the drilldown search to use the time arguments from the click but do something different with them,

<module name="FlashChart">
  <param name="width">100%</param>
  <param name="height">250px</param>

  <module name="HiddenSearch">
    <param name="search">CUSTOM SEARCH | timechart count</param>

    <module name="ConvertToDrilldownSearch">

      [[ your tables/charts/headers to render the drilldown search go here]]

    </module>

  </module>
</module>

Notes:

1) In this second example, its important that the custom search has the exact same reporting clause on the end that the main outer search does. So if the chart they click on had 'timechart count', you have the same report clause on the end of your drilldown search. If it had "stats sum(bytes) by userId", then you put that exact clause etc..

2) The order of HiddenSearch vs ConvertToDrilldownSearch doesnt actually matter. If it feels better to flip the containment relationship of those two, go for it. Essentially ConvertToDrilldownSearch

Definitely check out the "UI Examples for 4.1" app on splunkbase and pay careful attention to the copy and examples in "Advanced XML > Drilldown Intro"

View solution in original post

sideview
SplunkTrust
SplunkTrust

It's totally possible but you wouldnt normally use postProcess to do it. And you'll need to be using the Advanced XML but it sounds like you're there already.

At a high level you put other modules inside the FlashChart. They'll remain hidden until the user clicks the chart.

The UI examples app has some examples around so called 'inline drilldown'. 'inline' meaning where the drilldown is done on the same page instead of redirecting.

Starting at the FlashChart in question, if you're not doing anything fancy and you want the drilldown to show the events that 'correspond to' the given timebucket in the timechart, the config looks like this:

<module name="FlashChart">
  <param name="width">100%</param>
  <param name="height">250px</param>


  <module name="ConvertToDrilldownSearch">

    [[ your tables/charts/headers to render the drilldown search go here]]

  </module>

</module>

If on the other hand you want the drilldown search to use the time arguments from the click but do something different with them,

<module name="FlashChart">
  <param name="width">100%</param>
  <param name="height">250px</param>

  <module name="HiddenSearch">
    <param name="search">CUSTOM SEARCH | timechart count</param>

    <module name="ConvertToDrilldownSearch">

      [[ your tables/charts/headers to render the drilldown search go here]]

    </module>

  </module>
</module>

Notes:

1) In this second example, its important that the custom search has the exact same reporting clause on the end that the main outer search does. So if the chart they click on had 'timechart count', you have the same report clause on the end of your drilldown search. If it had "stats sum(bytes) by userId", then you put that exact clause etc..

2) The order of HiddenSearch vs ConvertToDrilldownSearch doesnt actually matter. If it feels better to flip the containment relationship of those two, go for it. Essentially ConvertToDrilldownSearch

Definitely check out the "UI Examples for 4.1" app on splunkbase and pay careful attention to the copy and examples in "Advanced XML > Drilldown Intro"

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...