Re: Dashboard timechart label does not pass on to ...

ashrafsj · ‎05-18-2020

Hi All,

I have an dashboard that has is a time chart and when I drilldown the server name, it has to fetch details from the DBX query. Instead of search servername in the dbx query, i tried to use token value to pass the server name from the timechart.

   |search $tokvalue_XX$

On Main panel,

       <drilldown>
          <set token="tokvalue_XX">$click.name2$</set>
          <set token="clicked_earliest">$earliest$</set>
          <set token="clicked_latest">$latest$</set>
        </drilldown>

For the drilldown part,

<row depends="$tokvalue_XX$">
    <panel>
      <title>Drilldown - $tokvalue_XX$ from $clicked_earliest$ to $clicked_latest$</title>
      <table>
        <search>
          <query>| dbxquery connection="CONN" query="SELECT QUERY" shortnames=true | search \"\*$$tokvalue_XX$$\*\"
| table SERVER, PROCESS,SQL_ID,PREV_SQL_ID,"Lock offset","Elapsed Time Secs"</query>
          <earliest>$clicked_earliest$</earliest>
          <latest>$clicked_latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>

When I click on the server name from the timechart on the server name, the second window just shows but doesn't pull any data based on the query. The query works when its being passed with the servername in Splunk and DB connect.

I have tried passing the value as $$tokvalue_XX$$ or $tokvalue_XX$ or "$tokvalue_XX$"

maityayan1996 · ‎05-19-2020

Testing

<input type="time" token="time" searchWhenChanged="true">
  <label>timerange</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>index=_internal sourcetype=splunkd_ui_access | stats count by method</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
       <set token="tokvalue_XX">$click.name2$</set>
       <set token="clicked_earliest">$time.earliest$</set>
       <set token="clicked_latest">$time.latest$</set>
    </drilldown>

  </table>
</panel>
    <panel depends="$tokvalue_XX$">
  <table>
    <search>
      <query>index=_internal sourcetype=splunkd_ui_access |timechart count by $tokvalue_XX$</query>
      <earliest>$clicked_earliest$</earliest>
      <latest>$clicked_latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>

maityayan1996 · ‎05-19-2020

Use the token in this way. Here "time" is the token name which I have mentioned for the time input option. In this way you can take the reference of the "time" from the main panel. Please mark as answered once you resolve this issue.

ashrafsj · ‎05-21-2020

Sorry for late reply, my query worked for me, as I tried to test the dashboards separately and integrated the drilldown later. Not sure if there was some spacing issues when I initially tried. So I made a separate dashboard with the drilldown query to test if it worked and then moved that query part into the main drilldown panel.

Thanks,
Ashraf

Dashboard timechart label does not pass on to drilldown query

drilldown

timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases