Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cell drilldown sending null

caphrim007
Path Finder
‎09-28-2010 07:38 PM

I was reading the docs here

and trying to get cell drilldown to work, but not having much luck. I set the value of drilldown to "all" and to "cell" but in either case, the search that is created places "null" in the stringreplace'd search.

Here's the advanced xml I have so far.

          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1">
            <param name="drilldown">cell</param>
            <param name="displayRowNumbers">False</param>
            <module name="HiddenSearch" layoutPanel="panel_row1_col2">
              <param name="search">Successful NOT 172.16.12.* (sourceNetworkAddress != "-" AND sourceNetworkAddress != "127.0.0.1") | lookup dnsLookup ip AS sourceNetworkAddress OUTPUTNEW host AS hostname | stats values(username) as Users by sourceNetworkAddress, hostname | sort -Users | search hostname="$hostname$" | mvexpand Users | table Users</param>
              <module name="ConvertToIntention">
                <param name="intention">
                  <param name="name">stringreplace</param>
                  <param name="arg">
                    <param name="hostname">
                      <param name="value">$click.value$</param>
                    </param>
                  </param>
                </param>
                <module name="SimpleResultsTable" layoutPanel="panel_row1_col2"/>
              </module>
            </module>
          </module>

When I look at the job that is fired off though, I see this

...| sort -Users | search hostname="null" | mvexpand Users |...

Scratching my head trying to figure out how I can get the clicked value into my intention.

The output from the hidden search above it is a table looks like this

sourceNetworkAddress hostname dcUserCnt

172.16.12.234 host3.site.org 2

172.16.12.204 host2.site.org 1

172.16.12.205 host1.site.org 1

And is created with the hidden search 

<param name="search">Successful NOT 172.16.12.* (sourceNetworkAddress != "-" AND sourceNetworkAddress != "127.0.0.1") | lookup dnsLookup ip AS sourceNetworkAddress OUTPUTNEW host AS hostname | stats dc(username) as dcUserCnt by sourceNetworkAddress, hostname | sort -dcUserCnt | search hostname="$hostname$"</param>
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-28-2010 08:09 PM

Well, '$click.value$' is always the cell value from the first column.

Assuming you have a search like 

chart avg(duration) over user by host

and you click on a cell within a table configured with 'cell' drilldown, here's the full description of the keys available downstream:

$click.name$   -- the name of the first column (ie host)
$click.value$  -- the value of the first column, in the row you clicked upon. (bob)
$click.name2$  -- the name of the column clicked upon  (ie host172)
$click.value2$ -- the string value of the cell clicked  upon (ie 95.42)

So perhaps the first column of this table for some reason is actually blank? that's the only thing I can think of. Or maybe it's _time because _time values from chart/table drilldown cannot be used in stringreplace intentions (obscure but known limitation of custom drilldown wiring).

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-28-2010 08:09 PM

Well, '$click.value$' is always the cell value from the first column.

Assuming you have a search like 

chart avg(duration) over user by host

and you click on a cell within a table configured with 'cell' drilldown, here's the full description of the keys available downstream:

$click.name$   -- the name of the first column (ie host)
$click.value$  -- the value of the first column, in the row you clicked upon. (bob)
$click.name2$  -- the name of the column clicked upon  (ie host172)
$click.value2$ -- the string value of the cell clicked  upon (ie 95.42)

So perhaps the first column of this table for some reason is actually blank? that's the only thing I can think of. Or maybe it's _time because _time values from chart/table drilldown cannot be used in stringreplace intentions (obscure but known limitation of custom drilldown wiring).

Reply
Solved! Jump to solution

caphrim007
Path Finder
‎09-28-2010 08:22 PM

Captain Obvious to the rescue here; duh Tim. Thanks nick, value was indeed the value of the first column, value2 the next, etc. Dunno how I missed that : )

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...