- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Sideview Utils: Drilldown by Column?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm adding Sideview Utils modules in order to do some URL passing, and I'd like to figure out a way to possibly drill down by column rather than row...is this possible?
At the end of my search I use ...| timechart span=1h count by foo | - where I would like to see a chart of the data below its corresponding area graph.
I'd like to be able to click on "count" below a particular header, rather than clicking on a row.
The timechart has different order types, and the count by hour below.
Here is a sample of the XML I'm using:
<module name="SimpleResultsTable">
<param name="count">10</param>
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="Redirector">
<param name="url">cg_diversity_invoice_detail</param>
<param name="arg.parameter_1">$click.fields.count$</param>
</module>
</module>
</module>
</module> <!-- End URLLoader -->
</module>
</view>
Is there anyway to do this, or will I need to edit/redo the timechart to something else where row would make sense?
Your help would be much appreciated.
Thank You
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool, thank you for the feedback. Pick-a-cell mode would be fantastic. I actually modified my search from using timechart to stats so users can select the orderTypes easier. It looks like:
index=contract_gateway earliest=-4h@h sourcetype=esb_audit esb_top_level=1 status="SUCCESS" NOT bp_bp_name="Task"
svc_context_name="x." OR
svc_context_name="y" OR
svc_context_name="z"
| addinfo
| eval current_hour = strftime(info_search_time,"%H")
| eval marker = case(date_hour=current_hour,"this",date_hour=(current_hour-1),"one",date_hour=(current_hour-2),"two",date_hour=(current_hour-3),"three")
| stats
count(eval(marker="this")) AS PO_Count_This_Hour,
count(eval(marker="one")) AS PO_Count_Last_Hour,
count(eval(marker="two")) AS PO_Count_2_Hours_Ago,
count(eval(marker="three")) AS PO_Count_3_Hours_Ago,
by svc_context_name
| fillnull PO_Count_This_Hour, PO_Count_Last_Hour, PO_Count_2_Hours_Ago, PO_Count_3_Hours_Ago
| sort svc_context_name ]]>
</param>
<module name="SimpleResultsTable">
<param name="count">10</param>
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="Redirector">
<param name="url">cg_diversity_channel_detail</param> <!-- View name or other URL here -->
<param name="arg.svc_context_name">$click.fields.svc_context_name$</param>
Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool, thank you for the feedback. Pick-a-cell mode would be fantastic. I actually modified my search from using timechart to stats so users can select the orderTypes easier. It looks like:
index=contract_gateway earliest=-4h@h sourcetype=esb_audit esb_top_level=1 status="SUCCESS" NOT bp_bp_name="Task"
svc_context_name="x." OR
svc_context_name="y" OR
svc_context_name="z"
| addinfo
| eval current_hour = strftime(info_search_time,"%H")
| eval marker = case(date_hour=current_hour,"this",date_hour=(current_hour-1),"one",date_hour=(current_hour-2),"two",date_hour=(current_hour-3),"three")
| stats
count(eval(marker="this")) AS PO_Count_This_Hour,
count(eval(marker="one")) AS PO_Count_Last_Hour,
count(eval(marker="two")) AS PO_Count_2_Hours_Ago,
count(eval(marker="three")) AS PO_Count_3_Hours_Ago,
by svc_context_name
| fillnull PO_Count_This_Hour, PO_Count_Last_Hour, PO_Count_2_Hours_Ago, PO_Count_3_Hours_Ago
| sort svc_context_name ]]>
</param>
<module name="SimpleResultsTable">
<param name="count">10</param>
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="Redirector">
<param name="url">cg_diversity_channel_detail</param> <!-- View name or other URL here -->
<param name="arg.svc_context_name">$click.fields.svc_context_name$</param>
Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The one useful thing that Splunk's SimpleResultsTable module has that the Sideview Table module does not, is the ability to do highlighting and selection on individual cells. You were already using SimpleResultsTable so you were almost there - the missing piece is to set "drilldown" to "all" instead of "row".
<module name="SimpleResultsTable">
<param name="count">10</param>
<param name="entityName">results</param>
<param name="drilldown">all</param>
<module name="Redirector">
<param name="url">cg_diversity_invoice_detail</param>
<param name="arg.parameter_1">$click.name2$</param>
</module>
</module>
And the other change is to use the legacy $click.name2$ token instead of the Sideview token $click.fields.fieldName$.
I thought that customer feedback would demand the pick-a-cell mode in the top list of requested features for Table, but actually few people have ever asked for it. Nonetheless it's on the list and I'll get to it someday. In the meantime use SimpleResultsTable with your Redirector.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
